Every once in a while (not too often) I leave the house without my trusty laptop or maybe I’m just in a place with no wifi available to me. In such cases I sometimes need access to one of my servers or perhaps just my e-mail, but I’ve always felt uncomfortable entering my password on strange computers, especially ones running Windows. You never know what kind of key loggers or other kinds of spyware they might be infected with. Every time I’ve done it, I’ve always changed my password on said servers the next time I’m using my own laptop which I quite trust. This procedure gets quite annoying. Enter OPIE.

OPIE

OPIE is a free implementation of the S/KEY (one time password) specifications (RFC 1760 and RFC 2289). The idea is that each password is only usable once so it doesn’t matter if anyone grabs it as it’ll be useless when they try to use it.

Setting it up was quite simple:

• Install the opie-server package.
• Add pam_opie to your pam configuration. If you haven’t tweaked your pam configuration at all, you can just copy /usr/share/doc/libpam-opie/examples/pam.d/common-auth to /etc/pam.d/common-auth. You’ll still be able to log in as you’ve always done it, but also with your shiny new one-time-password setup.
• Now, as your regular user, run opiepasswd. You’ll see a prompt like this:

  Adding sh:
  You need the response from an OTP generator.
  New secret pass phrase:
          otp-md5 499 bi0617
          Response:

  Now, in another terminal, run the command shown (in this case otp-md5 499 bi0617). This will look something like this:

  $ otp-md5 499 bi0617
  Using the MD5 algorithm to compute response.
  Reminder: Don't use opiekey from telnet or dial-in sessions.
  Enter secret pass phrase:
  DARE LAID BUM TAB PI BURY
  

  Your passphrase will have to be 10 characters or more. Now, enter that (“DARE LAID BUM TAB PI BURY”) into the opiepasswd session from before.

  Adding sh:
  You need the response from an OTP generator.
  New secret pass phrase:
          otp-md5 499 bi0617
          Response: DARE LAID BUM TAB PI BURY
  
  ID test OTP key is 499 bi0617
  DARE LAID BUM TAB PI BURY

  And that’s it. From now on, you can log in using these one time passwords. Try su - yourusername and just press enter on the well-known “password:” prompt, and you’ll be prompted for a one-time-password.

All that’s left is a way to get your hands on these one-time passwords when you need them. You can either use the otp-md5 tool to generate a bunch of passwords, print them, and carry them with you (see the man page for otp-md5 for details on the -n option), or you can install a generator on your mobile phone (there are several options available) or your Nokia 770 if you are lucky enough to own one of those.

imapproxy

As I mentioned in the beginning, I needed this for webmail, but as you might know, when using PHP based webmail systems every page load means a new login to the IMAP server, but when your passwords are only good for one login, you’re not going to have a very enjoyable experience with this setup. But if we add imapproxy to the mixture we’re back in business.

imapproxy was created to offload imap servers from these excessive logins, but at the same time, it resolves our problem. When connecting for the first time, imapproxy passes your authentication credentials on to the imap server, and if succesfully authenticated, it remembers your password for a configurable amount of time while keeping the connection to the imap server open… so the webmail app will keep using your (almost-but-not-quite-)one-time password to authenticate against imapproxy. Make sure you configure a relatively short cache_expiration_time so that the window of opportunity for an attacker is as narrow as possible. I’ve set it to 70 seconds since my webmail system refreshes every minute, so 70 seconds leaves a bit of time for different delays and such.

A word of warning:If you’re writing an e-mail from the webmail system, it might not be refreshing every minute anymore, so if you’re writing a long e-mail, make sure you do it in a different window so that when you click send, you won’t be rejected because the connection from your imapproxy to your imap server has been dropped and hence your password has expired.

The configuration file for imapproxy is heavily commented, but here’s is mine(stripped for comments and blank lines) if you’re interested:

server_hostname localhost
cache_size 3072
listen_port 144
listen_address 127.0.0.1
server_port 143
cache_expiration_time 70
proc_username nobody
proc_groupname nogroup
stat_filename /var/run/pimpstats
protocol_log_filename /var/log/imapproxy_protocol.log
syslog_facility LOG_MAIL
send_tcp_keepalives no
enable_select_cache no
foreground_mode no
force_tls no
enable_admin_commands no

Launchpad can be a hassle to navigate at times, so I figured I’d share a little gem with you. Every once in a while, there’s a bug in an Ubuntu package. Yes, hard to believe, but it’s true. To figure out exactly when it broke it sometimes helps to be able to install previus versions of a package to determine when the issue arose, but what if the package has been removed from the archives? Here’s the trick:

1. Figure out the name of the source package. http://packages.ubuntu.com/ can help you there. The bottom of each binary package page lists — among other things — the name of the source package.
2. Go to Ubuntu’s Launchpad page (remember, Launchpad is not only for Ubuntu).
3. In the search field, enter the name of the source package. E.g. “firefox”.
4. This gives you a list of possible matches. Select the right one.
5. Find the version you’re interested in in the table and click the version number (the far right column).
6. You’ll see a list of binary packages generated by this source package. On the left, there’s a box that says “Builds of sourcepackagename – version” with each of the relevant architectures’ build results. Click the architecture you’re running.
7. You’ll see some info relating to the build of the package (which server built it, how long did it take, when was it done, etc.). On the right, there’s a box containing a list of the resulting binary package. Select the one, you’re looking for.
8. There! At the top, there’s a download link for the deb. Mind you, you’re on your own with regard to managing dependencies.

Oh, and per request I’ve added myself to the planet. Yay!

I noticed that otp challenges get highlighted in gnome-terminal:
After a bit of digging in the source, it turns out that if you hold down CTRL while clicking the challenge, a window comes up allowing you to enter your password. The resulting passphrase will be sent to the terminal. Nice…