Using OPIE (One Password In Everything)

This document covers the setup and use of OPIE (One-time Passwords In Everything). This is a mechanism the ASF uses to ensure that your sudo password is not erroneously intercepted or pasted into the wrong prompt on the remote machine.

Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser.

All users in the in the $machine-sudoers group in LDAP have sudo access. To use sudo, a user must configure OPIE by running either opiepasswd (for non ubuntu systems) or ortpasswd (for ubuntu systems) on the remote machine.

Getting an OPIE client for your computer

Using OPIE requires having an OPIE (S/Key) client on the local (trusted) machine. Some OPIE clients are:

  1. Browser-based: otp-md5 tool in JavaScript
  2. SkeyCalc (Mac OS X) Note: this does not run with the very latest Mac OS, as of February 2020
  3. Orthrus (Unix-like; portable)
  4. FreeBSD: opiekey(1) is part of the base system
  5. donkey (Debian package donkey) Note: Use the '-f' option to set the hash type, usually 'donkey -f md5'

Password calculator

You can create a password using Apache's otp-md5 password calculator . The source code is available at infrastructure-otp; the help documentation has both the why and how for using the calculator.

Setting up OPIE

Watch a video on how this is done:


Process steps:

  1. Pick a good passphrase (does not have to be your LDAP password, any passphrase will do), between 10 and 127 characters long.
  2. Never expose it to the net, never type it on the remote machine.
  3. Run opiepasswd or ortpasswd on the remote machine you wish to get sudo access to.
  4. that will prompt you with an otp challenge, for instance (challenge string in green):
    1. otp-md5 470 fo1834
  5. Take that challenge string and run it locally on your workstation or using this ASF selfserve site.
  6. Enter your passphrase at the local prompt in 5.
  7. Repeat 5 and 6 until you are certain you entered your pw correctly.
  8. Paste the resulting six word response into the challenge prompt in 4.
    1. If you get a 20014 error, you have entered your password remotely by mistake, please contact infra if so.
  9. Run sudo in a way that will prompt you for an otp challenge.
  10. Repeat steps 5-8
  11. donkey (Debian package donkey) Note: Use the '-f' option to set the hash type, usually 'donkey -f md5'
  12. Get root.

An Example

Remote machine you want sudo access to

foo@bar.apache.org:~$ ortpasswd #(or opiepasswd)
otp-md5 498 ho106
password:

498 ho106 <-- COPY THIS STRING

Local Machine

$ donkey -f md5 498 ho106 
Enter secret pass phrase: foobarbaztwothirty
WERE GAIL THUG CEIL VIE TWO <-- COPY THESE WORDS

Remote Machine

Response: WERE GAIL THUG CEIL VIE TWO
root@bar.apache.org #