This document covers the setup and use of OPIE (One-time Passwords In Everything). This is a mechanism used by the ASF that ensures that your sudo password is not erroneously intercepted or pasted into the wrong prompt on the remote machine.
Note: Ubuntu VM's use
ortpasswd (part of Orthrus).
All users in the wheel group (or in the $machine-sudoers in LDAP) have sudo access. In order to use sudo, a user must configure OPIE by running
opiepasswd on the remote machine.
Getting an OPIE client for your computer
Using OPIE requires having an OPIE (S/Key) client on the local (trusted) machine. Some OPIE clients are:
- Debian/Ubuntu: See this forum thread
- SkeyCalc (Mac OS X)
- Orthrus (Unix-like; portable)
- FreeBSD: opiekey(1) is part of the base system
- donkey (Debian package donkey) Note: Use the '-f' option to set the hash type, usually 'donkey -f md5'
Setting up OPIE:
- pick a good passphrase, between 10 and 127 characters long.
- never expose it to the net, never type it on the remote machine
ortpasswd)on the remote machine you wish to get sudo access to.
- that will prompt you with an otp challenge, for instance:
otp-md5 fo1834 470
- take that challenge string and run it locally on your workstation or using this ASF committer site
- enter your passphrase at the local prompt in 5
- repeat 5 and 6 until you are certain you entered your pw correctly
- paste the resulting six word response into the challenge prompt in 4. If you get a 20014 error, you have entered your password remotely by mistake, please contact infra if so.
- have someone add you to the 'wheel' group10. run sudo
- that will prompt you for an otp challenge
- repeat steps 5-8
- get root
Remote machine you want to get sudo access to:
firstname.lastname@example.org# opiepasswd You need the response from an OTP generator. New secret pass phrase:
otp-md5 499 fo4576 <-- COPY THIS STRING Response:
$ otp-md5 499 fo4576 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: foobarbaztwothirty WERE GAIL THUG CEIL VIE TWO <-- COPY THESE WORDS
Response: WERE GAIL THUG CEIL VIE TWO email@example.com #