[Server-devel] xs-otp: one time passwords for the XS

Douglas Bagnall douglas at paradise.net.nz
Fri Oct 24 20:51:38 EDT 2008


Michael Stone <michael at laptop.org>:
>> 2. If you want to disable root login via the system password, touch
>>  /etc/xs-otp/disable-root-password.  This file will eventually exist
>>  by default, but for now this option should be used with care.  It
>>  *could* leave you with no way of logging into the server.
>
> Do the XS installation instructions offer any guidance on prohibiting
> booting with init=/bin/bash, booting from external media, or simply
> removing the XS hard drive and manipulating it from a separate machine?

No.  The correct sentence would be more like "it could make logging in
a nuisance, and cause you to hate this package and/or ask for extra
support".  I'll modify it.

>> By default xs-otp generates 520 8-character passwords containing a
>> mixture of letters, numbers and some punctuation.  The passwords are
>> saved in an ordered list, like this:
>
> How many bits of entropy per password? (All the examples you showed were
> printable ASCII so I assume that there are less than 64 bits of entropy
> per password.)

There's 8 characters from an alphabet of 64, so 48 bits per password.

I'd be happy to increase the length but not the alphabet: the
selection is made with modulus on a byte, so it needs to be a power of
2 or you get an uneven distribution.


Douglas


More information about the Server-devel mailing list