[Server-devel] xs-otp: one time passwords for the XS

Douglas Bagnall douglas at paradise.net.nz
Fri Oct 24 02:02:23 EDT 2008

This is an implementation of the ideas described at

There's an RPM at
and a repository at

It uses the patched version of the pam_sotp rpm I wrote about earlier

This version shouldn't be considered to be very well tested or proven,
considering it meddles with your root login.  The README is below.




This package provides short term passwords for the OLPC XS root user.

Upon installation, nothing happens.  Thereafter nothing will happen
unless the file /etc/xs-otp/allow-otp-password-via-usb exists.  If it
does, and you attach a USB drive containing special files, the root
password is removed and replaced by a series of week-long passwords.

The passwords are encrypted using all public keys known to the
xs-tools package, and copied to the USB drive and also into the web
tree at http://schoolserver/passwords.pgp.

If the USB stick has additional keys on it which are signed by a known
key, the passwords are encrypted for those too.

How to enable xs-otp passwords

0. Make sure you have a root login on the machine, and keep it open
   while you do the other steps.  Then if something goes wrong you can
   always back out, and ensure that you can log in again by resetting
   the password (with passwd).  This step will disappear in later
   releases, but in XS-0.5, xs-otp is quite experimental.

1. Set the magic flag with `touch /etc/xs-otp/allow-otp-password-via-usb`

2. If you want to disable root login via the system password, touch
   /etc/xs-otp/disable-root-password.  This file will eventually exist
   by default, but for now this option should be used with care.  It
   *could* leave you with no way of logging into the server.

3. Insert a USB drive with a file called "enable-xs-otp-passwords" in
   its root directory.

   The USB drive can optionally have any of these other special files
   and directories:

   ./entropy/ -- a directory containing randomly generated files.  If
          this exists, one of the files will be added to the system's
          entropy pool and deleted.

   ./extra-xs-otp-keys/ -- a directory containing public gpg keys (in
          PEM format) which have been signed by keys that the XS
          already knows.  The signatures should be detached, with a
          '.sig' suffix.

4. Done, almost.  Before logging out, please check that you can log in
   with the one time passwords.  To do this you'll need to decrypt the
   list of passwords using a private key that corresponds with a
   public key known by the XS.  Open a new console (using something
   like control-alt-F3) and login with root and the first password on
   the list.  If you disabled the normal password in step 2, try that
   too and make sure it fails.

The passwords

By default xs-otp generates 520 8-character passwords containing a
mixture of letters, numbers and some punctuation.  The passwords are
saved in an ordered list, like this:

[01] kL9-E*Lf
[02] eYsr!X7y
[03] 5NSBWLTs
[04] UpxCEBtn
[05] K83yrekW
[06] MA-jbzn'
[07] caH7u8K7

And this file is encrypted.

Each password lasts for a week from its first use.  That means a
technician in the field can get practically any job done with a single
password.  The login prompt will ask for a numbered password, like

schoolserver login: root
One time password [04]:

This meas it wants password 4 form the list.  But if it is less than a
week since you first logged in with password 3, then password 3 will
still work (as would password 1 and 2, if they were similarly recent).

More information about the Server-devel mailing list