I read a blog post via Planet Ubuntu not long ago about using OTPs. I had looked at things like OPIE in the past, but the idea of carrying around a pre-generated list of passwords was not so encouraging. I changed my mind when I saw that ingenious folks have written J2ME midlets for running the password generator on your phone!
I went looking at a couple of the generators mentioned in Soren’s article. Freesafe looks very nice, with the ability to securely store the passphrases for a number of hosts separately. It looks very nice and has a lot of features, but the developers have had to sacrifice the generation of the “six words” format of the one-time password. Since you enter the OTP at a traditional no-echo prompt, the idea of entering a long OTP in hex digits was not appealing, so I kept looking.
Eventually I found one called vejotp (the similarity to my moniker is coincidental; I’m not associated with it at all!). It remembers your passphrase and sequence number, so each time you need a OTP you just hit the “Go” button and it gives you the goods. It only remembers the details of one server though — so if you have more than one system protected with one-time passwords, vejotp is not really for you (unless you like tapping out strong passphrases in predictive text!).
Soren’s post has more info about how he set it up on Ubuntu — for me it was as easy as adding the “skey” USE flag and re-emerging openssh, making sure that brought in the skey package if it wasn’t already there. Then, I updated sshd_config to “ChallengeResponse yes” and “UsePAM no”, restarted sshd, and the setup was complete. Each user would then run skeyinit to seed their OTP generation.
The nice thing is that passwordless login using SSH keys still works, so I can use the existing method of key-based login from inside the network, and OTP when I’m out-and-about.
Soren also describes a way to use OTP for mail access using IMAP and a utility called imapproxy. Well worth the read!
Crossed Wires 