| <!doctype html> |
| <html class="no-js" lang="en" dir="ltr"> |
| <head> |
| <meta charset="utf-8"> |
| <meta http-equiv="x-ua-compatible" content="ie=edge"> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| <title>Using OPIE - Apache Infrastructure</title> |
| <link rel="stylesheet" href="/theme/css/foundation.css"> |
| <link rel="stylesheet" href="/theme/css/app.css"> |
| <link rel="stylesheet" href="/theme/css/font-awesome.min.css"> |
| <style type="text/css"> |
| .frontbox { |
| border-radius: 8%; |
| border: 1px solid #999; background: #444; color: #EEE; padding: 6px; margin: 3px; |
| } |
| .frontbox:hover { |
| border-top: 4px solid #1583CC; |
| margin-top: 0px; |
| cursor: pointer; |
| } |
| .clickable { |
| /* height was reduced by 40% */ |
| height: 60%; |
| width: 30%; |
| position: absolute; |
| z-index: 1; |
| } |
| </style> </head> |
| <body style="background: #C9B191;"> |
| <!-- Menu bar ---> |
| <div class="row"> |
| <div class="top-bar" style="padding: 0; margin-bottom: 10px; background: #222; border: 1px solid #DDD; border-bottom-right-radius: 4px; border-bottom-left-radius: 4px;"> |
| <div class="hide-for-small-only"> |
| <div class="top-bar-left"> |
| <ul class="menu" style="background: #222; padding: 0px; line-height: 1; border-bottom-left-radius: 4px;"> |
| <li class="notable-logo"><a href="/" target="_self" style="padding: 3px; padding-left: 7px;"> |
| <img style="vertical-align: middle;" src='/theme/images/feather.png' width='18'/><span style="font-size: 1.30rem; color: #1583CC; text-transform: uppercase;">Apache Infrastructure</span></a> |
| </li> |
| </ul> |
| </div> |
| <div class="top-bar-right"> |
| <ul class="dropdown menu horizontal" data-dropdown-menu style="background: #222; font-size: 0.8rem; text-transform: uppercase; padding-top: 5px;"> |
| <li class="is-dropdown-submenu-parent"> |
| <a href="#" target="_self" style="padding-left: 7px;">About</a> |
| <ul class="menu" style="background: #222; font-size: 0.7rem; text-transform: uppercase; padding-top: 5px; margin-top: 5px;"> |
| <li><a href="/pages/team.html">About the team</a></li> |
| <li><a href="/pages/policies.html">Our policies</a></li> |
| <li><a href="/pages/roadmap.html">Strategies & Roadmap</a></li> |
| <li><a href="https://cwiki.apache.org/confluence/display/INFRA/Contacting+infrastructure">Contact infrastructure</a></li> |
| </ul> |
| </li> |
| <li><a href="https://cwiki.apache.org/confluence/display/INFRA/Documentation+Index" target="_self" style="padding-left: 5px;">Documentation</a></li> |
| <li><a href="https://status.apache.org" target="_self" style="padding-left: 5px;">Status</a></li> |
| <li><a href="https://selfserve.apache.org" target="_self" style="padding-left: 5px;">Selfserve</a></li> |
| <li class="is-dropdown-submenu-parent"> |
| <a href="#" target="_self" style="padding-left: 0px;">Services</a> |
| <ul class="menu" style="background: #222; font-size: 0.7rem; text-transform: uppercase; padding-top: 5px; margin-top: 5px;"> |
| <li><a href="https://issues.apache.org/jira/" >JIRA</a></li> |
| <li><a href="https://cwiki.apache.org/" >Confluence</a></li> |
| <li><a href="https://builds.apache.org/" >Jenkins</a></li> |
| <li><a href="https://ci.apache.org/" >Buildbot</a></li> |
| <li><a href="https://www.apache.org/dev/machines.html" >Fingerprints</a></li> |
| <li><a href="https://blocky.apache.org" >Blocky</a></li> |
| <li><a href="https://uls.apache.org/app/kibana#/discover?_g=()" >Kibana and Unified Logging System</a></li> |
| <li><a href="https://app.datadoghq.com/account/login?next=%2Finfrastructure" >DataDog</a></li> |
| <li><a href="https://whimsy.apache.org/roster/committer/" >Committer Search</a></li> |
| <li><a href="https://apache.pagerduty.com/sign_in" >PagerDuty</a></li> |
| </ul> |
| </li> |
| <li><a href="http://infra.chat" style="padding-left: 5px;"><i class="fa fa-weixin" style="color: #FFF; font-size: 0.9rem;"></i>Chat with Us</a></li> |
| </ul> |
| </div> |
| </div> |
| </div> |
| </div> |
| <!-- bread crumb --> |
| <div class="row"> |
| <div class="large-12 columns" style="font-size: 0.8rem; background-color: rgba(255,255,255,0.75); margin-bottom: 5px;"> |
| <a href="/">Home</a> |
| <i class="fa fa-angle-double-right"></i> |
| <a href="/Using OPIE.html"> |
| Using OPIE </a> |
| </div> |
| </div> |
| |
| |
| <!-- contents --> |
| <div class="row"> |
| <div class="large-12 columns"> |
| <div class="callout"> |
| <h2> |
| Using OPIE |
| </h2> |
| <p>This document covers the setup and use of OPIE (One-time Passwords In Everything). This is |
| a mechanism used by the ASF that ensures that your sudo password is not erroneously intercepted |
| or pasted into the wrong prompt on the remote machine.</p> |
| <p>Note: FreeBSD uses <code>opiepasswd</code>, Ubuntu VM's use <code>ortpasswd</code> (part of Orthrus) instead.</p> |
| <p>All users in the wheel group (or in the $machine-sudoers in LDAP) have sudo access. |
| In order to use sudo, a user <strong>must |
| configure OPIE</strong> by running <code>opiepasswd</code> on the remote machine.</p> |
| <h1>Getting an OPIE client for your computer</h1> |
| <p>Using OPIE requires having an OPIE (S/Key) client on the local (trusted) machine. Some OPIE clients are:</p> |
| <ul> |
| <li>Debian/Ubuntu: See <a href="http://ubuntuforums.org/showthread.php?t=1891356">this forum thread</a></li> |
| <li>Browser-based: <a href="/committer/otp-md5">otp-md5 tool in JavaScript</a></li> |
| <li>SkeyCalc (Mac OS X)</li> |
| <li>Orthrus (Unix-like; portable)</li> |
| <li>FreeBSD: opiekey(1) is part of the base system</li> |
| <li>donkey (Debian package donkey) Note: Use the '-f' option to set the hash type, usually 'donkey -f md5'</li> |
| </ul> |
| <h1>Setting up OPIE:</h1> |
| <ol> |
| <li>pick a good passphrase, between 10 and 127 characters long.</li> |
| <li>never expose it to the net, <strong>never type it on the remote machine</strong></li> |
| <li>run <code>opiepasswd</code> (or <code>ortpasswd</code>)on the remote machine you wish to get sudo access to.</li> |
| <li>that will prompt you with an otp challenge, for instance: <code>otp-md5 fo1834 470</code></li> |
| <li>take that challenge string and run it <strong>locally on your workstation</strong></li> |
| <li>enter your passphrase at the <strong>local prompt</strong> in 5</li> |
| <li>repeat 5 and 6 until you are <em>certain</em> you entered your pw correctly</li> |
| <li>paste the resulting six word response into the challenge prompt in 4. If you get a 20014 error, |
| you have entered your password remotely by mistake, please contact infra if so.</li> |
| <li>have someone add you to the 'wheel' group</li> |
| <li>run sudo</li> |
| <li>that will prompt you for an otp challenge</li> |
| <li>repeat steps 5-8</li> |
| <li>get root</li> |
| </ol> |
| <h1>An example:</h1> |
| <h2>Remote machine you want to get sudo access to:</h2> |
| <pre><code>foo@test-vm.apache.org# opiepasswd |
| You need the response from an OTP generator. |
| New secret pass phrase: |
| otp-md5 499 fo4576 <-- COPY THIS STRING |
| Response: |
| </code></pre> |
| <h2>Local machine:</h2> |
| <pre><code>$ otp-md5 499 fo4576 |
| Using the MD5 algorithm to compute response. |
| Reminder: Don't use opiekey from telnet or dial-in sessions. |
| Enter secret pass phrase: foobarbaztwothirty |
| WERE GAIL THUG CEIL VIE TWO <-- COPY THESE WORDS |
| </code></pre> |
| <h2>Remote machine:</h2> |
| <pre><code> Response: WERE GAIL THUG CEIL VIE TWO |
| root@test-vm.apache.org # |
| </code></pre> |
| <h2>Video Tutorial</h2> |
| <p><video controls src="https://home.apache.org/~gmcdonald/using_opie_orthrus.mov"><a href="https://home.apache.org/~gmcdonald/using_opie_orthrus.mov">Setting up Orthrus using SKeyCalc on Mac</a> |
| </video></p> |
| |
| </div> |
| </div> |
| </div> |
| </div> |
| <!-- footer --> |
| <div class="row"> |
| <div class="large-12 medium-12 columns"> |
| <p style="font-style: italic; font-size: 0.8rem; text-align: center;"> |
| Copyright 2020, <a href="https://www.apache.org/">The Apache Software Foundation</a>, Licensed under the <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/> |
| Apache® and the Apache feather logo are trademarks of The Apache Software Foundation... |
| </p> |
| </div> |
| </div> |
| <script src="/theme/js/vendor/jquery.js"></script> |
| <script src="/theme/js/vendor/what-input.js"></script> |
| <script src="/theme/js/vendor/foundation.js"></script> |
| <script src="/theme/js/app.js"></script> |
| </body> |
| </html> |