Google Git
Sign in
apache / infrastructure-website / 0e536b20f5bc817363071706c032c427f3549e31 / . / content / pages / reference / committer / opie.html
blob: 3296a18915abe7af25bf5e1208f917691144663c [file] [log] [blame]
<!doctype html>
<html class="no-js" lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<meta http-equiv="x-ua-compatible" content="ie=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Using OPIE - Apache Infrastructure</title>
<link rel="stylesheet" href="/theme/css/foundation.css">
<link rel="stylesheet" href="/theme/css/app.css">
<link rel="stylesheet" href="/theme/css/font-awesome.min.css">
<style type="text/css">
.frontbox {
border-radius: 8%;
border: 1px solid #999; background: #444; color: #EEE; padding: 6px; margin: 3px;
}
.frontbox:hover {
border-top: 4px solid #1583CC;
margin-top: 0px;
cursor: pointer;
}
.clickable {
/* height was reduced by 40% */
height: 60%;
width: 30%;
position: absolute;
z-index: 1;
}
</style> </head>
<body style="background: #C9B191;">
<!-- Menu bar --->
<div class="row">
<div class="top-bar" style="padding: 0; margin-bottom: 10px; background: #222; border: 1px solid #DDD; border-bottom-right-radius: 4px; border-bottom-left-radius: 4px;">
<div class="hide-for-small-only">
<div class="top-bar-left">
<ul class="menu" style="background: #222; padding: 0px; line-height: 1; border-bottom-left-radius: 4px;">
<li class="notable-logo"><a href="/" target="_self" style="padding: 3px; padding-left: 7px;">
<img style="vertical-align: middle;" src='/theme/images/feather.png' width='18'/><span style="font-size: 1.30rem; color: #1583CC; text-transform: uppercase;">Apache Infrastructure</span></a>
</li>
</ul>
</div>
<div class="top-bar-right">
<ul class="dropdown menu horizontal" data-dropdown-menu style="background: #222; font-size: 0.8rem; text-transform: uppercase; padding-top: 5px;">
<li class="is-dropdown-submenu-parent">
<a href="#" target="_self" style="padding-left: 7px;">About</a>
<ul class="menu" style="background: #222; font-size: 0.7rem; text-transform: uppercase; padding-top: 5px; margin-top: 5px;">
<li><a href="/pages/team.html">About the team</a></li>
<li><a href="/pages/policies.html">Our policies</a></li>
<li><a href="/pages/roadmap.html">Strategies & Roadmap</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/INFRA/Contacting+infrastructure">Contact infrastructure</a></li>
</ul>
</li>
<li><a href="https://cwiki.apache.org/confluence/display/INFRA/Documentation+Index" target="_self" style="padding-left: 5px;">Documentation</a></li>
<li><a href="https://status.apache.org" target="_self" style="padding-left: 5px;">Status</a></li>
<li><a href="https://selfserve.apache.org" target="_self" style="padding-left: 5px;">Selfserve</a></li>
<li class="is-dropdown-submenu-parent">
<a href="#" target="_self" style="padding-left: 0px;">Services</a>
<ul class="menu" style="background: #222; font-size: 0.7rem; text-transform: uppercase; padding-top: 5px; margin-top: 5px;">
<li><a href="https://issues.apache.org/jira/" >JIRA</a></li>
<li><a href="https://cwiki.apache.org/" >Confluence</a></li>
<li><a href="https://builds.apache.org/" >Jenkins</a></li>
<li><a href="https://ci.apache.org/" >Buildbot</a></li>
<li><a href="https://www.apache.org/dev/machines.html" >Fingerprints</a></li>
<li><a href="https://blocky.apache.org" >Blocky</a></li>
<li><a href="https://uls.apache.org/app/kibana#/discover?_g=()" >Kibana and Unified Logging System</a></li>
<li><a href="https://app.datadoghq.com/account/login?next=%2Finfrastructure" >DataDog</a></li>
<li><a href="https://whimsy.apache.org/roster/committer/" >Committer Search</a></li>
<li><a href="https://apache.pagerduty.com/sign_in" >PagerDuty</a></li>
</ul>
</li>
<li><a href="http://infra.chat" style="padding-left: 5px;"><i class="fa fa-weixin" style="color: #FFF; font-size: 0.9rem;"></i>Chat with Us</a></li>
</ul>
</div>
</div>
</div>
</div>
<!-- bread crumb -->
<div class="row">
<div class="large-12 columns" style="font-size: 0.8rem; background-color: rgba(255,255,255,0.75); margin-bottom: 5px;">
<a href="/">Home</a>
<i class="fa fa-angle-double-right"></i>
<a href="/Using OPIE.html">
Using OPIE </a>
</div>
</div>
<!-- contents -->
<div class="row">
<div class="large-12 columns">
<div class="callout">
<h2>
Using OPIE
</h2>
<p>This document covers the setup and use of OPIE (One-time Passwords In Everything). This is
a mechanism used by the ASF that ensures that your sudo password is not erroneously intercepted
or pasted into the wrong prompt on the remote machine.</p>
<p>Note: FreeBSD uses <code>opiepasswd</code>, Ubuntu VM's use <code>ortpasswd</code> (part of Orthrus) instead.</p>
<p>All users in the wheel group (or in the $machine-sudoers in LDAP) have sudo access.
In order to use sudo, a user <strong>must
configure OPIE</strong> by running <code>opiepasswd</code> on the remote machine.</p>
<h1>Getting an OPIE client for your computer</h1>
<p>Using OPIE requires having an OPIE (S/Key) client on the local (trusted) machine. Some OPIE clients are:</p>
<ul>
<li>Debian/Ubuntu: See <a href="http://ubuntuforums.org/showthread.php?t=1891356">this forum thread</a></li>
<li>Browser-based: <a href="/committer/otp-md5">otp-md5 tool in JavaScript</a></li>
<li>SkeyCalc (Mac OS X)</li>
<li>Orthrus (Unix-like; portable)</li>
<li>FreeBSD: opiekey(1) is part of the base system</li>
<li>donkey (Debian package donkey) Note: Use the '-f' option to set the hash type, usually 'donkey -f md5'</li>
</ul>
<h1>Setting up OPIE:</h1>
<ol>
<li>pick a good passphrase, between 10 and 127 characters long.</li>
<li>never expose it to the net, <strong>never type it on the remote machine</strong></li>
<li>run <code>opiepasswd</code> (or <code>ortpasswd</code>)on the remote machine you wish to get sudo access to.</li>
<li>that will prompt you with an otp challenge, for instance: <code>otp-md5 fo1834 470</code></li>
<li>take that challenge string and run it <strong>locally on your workstation</strong></li>
<li>enter your passphrase at the <strong>local prompt</strong> in 5</li>
<li>repeat 5 and 6 until you are <em>certain</em> you entered your pw correctly</li>
<li>paste the resulting six word response into the challenge prompt in 4. If you get a 20014 error,
you have entered your password remotely by mistake, please contact infra if so.</li>
<li>have someone add you to the 'wheel' group</li>
<li>run sudo</li>
<li>that will prompt you for an otp challenge</li>
<li>repeat steps 5-8</li>
<li>get root</li>
</ol>
<h1>An example:</h1>
<h2>Remote machine you want to get sudo access to:</h2>
<pre><code>foo@test-vm.apache.org# opiepasswd
You need the response from an OTP generator.
New secret pass phrase:
otp-md5 499 fo4576 &lt;-- COPY THIS STRING
Response:
</code></pre>
<h2>Local machine:</h2>
<pre><code>$ otp-md5 499 fo4576
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: foobarbaztwothirty
WERE GAIL THUG CEIL VIE TWO &lt;-- COPY THESE WORDS
</code></pre>
<h2>Remote machine:</h2>
<pre><code> Response: WERE GAIL THUG CEIL VIE TWO
root@test-vm.apache.org #
</code></pre>
<h2>Video Tutorial</h2>
<p><video controls src="https://home.apache.org/~gmcdonald/using_opie_orthrus.mov"><a href="https://home.apache.org/~gmcdonald/using_opie_orthrus.mov">Setting up Orthrus using SKeyCalc on Mac</a>
</video></p>
</div>
</div>
</div>
</div>
<!-- footer -->
<div class="row">
<div class="large-12 medium-12 columns">
<p style="font-style: italic; font-size: 0.8rem; text-align: center;">
Copyright 2020, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
Apache&reg; and the Apache feather logo are trademarks of The Apache Software Foundation...
</p>
</div>
</div>
<script src="/theme/js/vendor/jquery.js"></script>
<script src="/theme/js/vendor/what-input.js"></script>
<script src="/theme/js/vendor/foundation.js"></script>
<script src="/theme/js/app.js"></script>
</body>
</html>