Re: [Server-devel] xs-otp: one time passwords for the XS
On Fri, Oct 24, 2008 at 7:33 PM, Michael Stone [EMAIL PROTECTED] wrote: Do the XS installation instructions offer any guidance on prohibiting booting with init=/bin/bash, booting from external media, or simply removing the XS hard drive and manipulating it from a separate machine? Physical security is not our problem... (at least yet). If an XS deployment can do really custom hw, then we can help them use a scheme similar to what we have on the XO to only boot signed images, to controlled runlevels, etc. But that's unlikely to happen in the near future (AFAIK), so any deployment that wants safety for their XSs will want to consider physical security a must. cheers, m -- [EMAIL PROTECTED] [EMAIL PROTECTED] -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] xs-otp: one time passwords for the XS
On Sun, Oct 26, 2008 at 04:46:17PM +0100, Martin Langhoff wrote: On Fri, Oct 24, 2008 at 7:33 PM, Michael Stone [EMAIL PROTECTED] wrote: Do the XS installation instructions offer any guidance on prohibiting booting with init=/bin/bash, booting from external media, or simply removing the XS hard drive and manipulating it from a separate machine? Physical security is not our problem... (at least yet). Still sure that you want the XS to be involved in the theft-deterrence protocol? :) Michael ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] xs-otp: one time passwords for the XS
On Sun, Oct 26, 2008 at 12:01 PM, Martin Langhoff [EMAIL PROTECTED] wrote: On Sun, Oct 26, 2008 at 4:52 PM, Michael Stone [EMAIL PROTECTED] wrote: Physical security is not our problem... (at least yet). Still sure that you want the XS to be involved in the theft-deterrence protocol? :) ... but I'm not aware of any scheme *without* something like bitfrost that has a reasonable cost-benefit (or complexity-benefit) ratio. Here's a crazy implementation idea for adding pre-boot security code to ANY standard PC platform. Build a basic PCI hardware 'device' card with little more then ROM. When a standard BIOS detects device card ROM, it executes it before even attempting to boot the computer. Glue these cards into a slot in any computer on which you want special pre-boot security... Note: I have no idea what ROM services are available to device ROMs. For example, can a device ROM call into the BIOS to do disk IO at this point in the boot process? Is there anything that such a card could usefully do with nothing more then its code. What if you add a small amount of battery backed CMOS and an onboard clock chip to the card? Bill Bogstad ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
[Server-devel] xs-otp: one time passwords for the XS
This is an implementation of the ideas described at http://wiki.laptop.org/go/XS_Blueprints:OTP_root_passwords There's an RPM at http://xs-dev.laptop.org/xsrepos/testing/olpc/9/i386/xs-otp-0.4-1.xs9.noarch.rpm and a repository at http://dev.laptop.org/git?p=3Dusers/dbagnall/xs-otp.git;a=3Dsummary It uses the patched version of the pam_sotp rpm I wrote about earlier today. This version shouldn't be considered to be very well tested or proven, considering it meddles with your root login. The README is below. douglas XS-OTP == This package provides short term passwords for the OLPC XS root user. Upon installation, nothing happens. Thereafter nothing will happen unless the file /etc/xs-otp/allow-otp-password-via-usb exists. If it does, and you attach a USB drive containing special files, the root password is removed and replaced by a series of week-long passwords. The passwords are encrypted using all public keys known to the xs-tools package, and copied to the USB drive and also into the web tree at http://schoolserver/passwords.pgp. If the USB stick has additional keys on it which are signed by a known key, the passwords are encrypted for those too. How to enable xs-otp passwords == 0. Make sure you have a root login on the machine, and keep it open while you do the other steps. Then if something goes wrong you can always back out, and ensure that you can log in again by resetting the password (with passwd). This step will disappear in later releases, but in XS-0.5, xs-otp is quite experimental. 1. Set the magic flag with `touch /etc/xs-otp/allow-otp-password-via-usb` 2. If you want to disable root login via the system password, touch /etc/xs-otp/disable-root-password. This file will eventually exist by default, but for now this option should be used with care. It *could* leave you with no way of logging into the server. 3. Insert a USB drive with a file called enable-xs-otp-passwords in its root directory. The USB drive can optionally have any of these other special files and directories: ./entropy/ -- a directory containing randomly generated files. If this exists, one of the files will be added to the system's entropy pool and deleted. ./extra-xs-otp-keys/ -- a directory containing public gpg keys (in PEM format) which have been signed by keys that the XS already knows. The signatures should be detached, with a '.sig' suffix. 4. Done, almost. Before logging out, please check that you can log in with the one time passwords. To do this you'll need to decrypt the list of passwords using a private key that corresponds with a public key known by the XS. Open a new console (using something like control-alt-F3) and login with root and the first password on the list. If you disabled the normal password in step 2, try that too and make sure it fails. The passwords = By default xs-otp generates 520 8-character passwords containing a mixture of letters, numbers and some punctuation. The passwords are saved in an ordered list, like this: [01] kL9-E*Lf [02] eYsr!X7y [03] 5NSBWLTs [04] UpxCEBtn [05] K83yrekW [06] MA-jbzn' [07] caH7u8K7 [...] And this file is encrypted. Each password lasts for a week from its first use. That means a technician in the field can get practically any job done with a single password. The login prompt will ask for a numbered password, like this: schoolserver login: root One time password [04]: This meas it wants password 4 form the list. But if it is less than a week since you first logged in with password 3, then password 3 will still work (as would password 1 and 2, if they were similarly recent). ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel
Re: [Server-devel] xs-otp: one time passwords for the XS
Michael Stone [EMAIL PROTECTED]: 2. If you want to disable root login via the system password, touch /etc/xs-otp/disable-root-password. This file will eventually exist by default, but for now this option should be used with care. It *could* leave you with no way of logging into the server. Do the XS installation instructions offer any guidance on prohibiting booting with init=/bin/bash, booting from external media, or simply removing the XS hard drive and manipulating it from a separate machine? No. The correct sentence would be more like it could make logging in a nuisance, and cause you to hate this package and/or ask for extra support. I'll modify it. By default xs-otp generates 520 8-character passwords containing a mixture of letters, numbers and some punctuation. The passwords are saved in an ordered list, like this: How many bits of entropy per password? (All the examples you showed were printable ASCII so I assume that there are less than 64 bits of entropy per password.) There's 8 characters from an alphabet of 64, so 48 bits per password. I'd be happy to increase the length but not the alphabet: the selection is made with modulus on a byte, so it needs to be a power of 2 or you get an uneven distribution. Douglas ___ Server-devel mailing list Server-devel@lists.laptop.org http://lists.laptop.org/listinfo/server-devel