This is an implementation of the ideas described at http://wiki.laptop.org/go/XS_Blueprints:OTP_root_passwords
There's an RPM at http://xs-dev.laptop.org/xsrepos/testing/olpc/9/i386/xs-otp-0.4-1.xs9.noarch.rpm and a repository at http://dev.laptop.org/git?p=3Dusers/dbagnall/xs-otp.git;a=3Dsummary It uses the patched version of the pam_sotp rpm I wrote about earlier today. This version shouldn't be considered to be very well tested or proven, considering it meddles with your root login. The README is below. douglas ++++++++++++++++ XS-OTP ====== This package provides short term passwords for the OLPC XS root user. Upon installation, nothing happens. Thereafter nothing will happen unless the file /etc/xs-otp/allow-otp-password-via-usb exists. If it does, and you attach a USB drive containing special files, the root password is removed and replaced by a series of week-long passwords. The passwords are encrypted using all public keys known to the xs-tools package, and copied to the USB drive and also into the web tree at http://schoolserver/passwords.pgp. If the USB stick has additional keys on it which are signed by a known key, the passwords are encrypted for those too. How to enable xs-otp passwords ============================== 0. Make sure you have a root login on the machine, and keep it open while you do the other steps. Then if something goes wrong you can always back out, and ensure that you can log in again by resetting the password (with passwd). This step will disappear in later releases, but in XS-0.5, xs-otp is quite experimental. 1. Set the magic flag with `touch /etc/xs-otp/allow-otp-password-via-usb` 2. If you want to disable root login via the system password, touch /etc/xs-otp/disable-root-password. This file will eventually exist by default, but for now this option should be used with care. It *could* leave you with no way of logging into the server. 3. Insert a USB drive with a file called "enable-xs-otp-passwords" in its root directory. The USB drive can optionally have any of these other special files and directories: ./entropy/ -- a directory containing randomly generated files. If this exists, one of the files will be added to the system's entropy pool and deleted. ./extra-xs-otp-keys/ -- a directory containing public gpg keys (in PEM format) which have been signed by keys that the XS already knows. The signatures should be detached, with a '.sig' suffix. 4. Done, almost. Before logging out, please check that you can log in with the one time passwords. To do this you'll need to decrypt the list of passwords using a private key that corresponds with a public key known by the XS. Open a new console (using something like control-alt-F3) and login with root and the first password on the list. If you disabled the normal password in step 2, try that too and make sure it fails. The passwords ============= By default xs-otp generates 520 8-character passwords containing a mixture of letters, numbers and some punctuation. The passwords are saved in an ordered list, like this: [01] kL9-E*Lf [02] eYsr!X7y [03] 5NSBWLTs [04] UpxCEBtn [05] K83yrekW [06] MA-jbzn' [07] caH7u8K7 [...] And this file is encrypted. Each password lasts for a week from its first use. That means a technician in the field can get practically any job done with a single password. The login prompt will ask for a numbered password, like this: schoolserver login: root One time password [04]: This meas it wants password 4 form the list. But if it is less than a week since you first logged in with password 3, then password 3 will still work (as would password 1 and 2, if they were similarly recent). _______________________________________________ Server-devel mailing list [email protected] http://lists.laptop.org/listinfo/server-devel
