Monthly Archives: May 2008

Debian – Ubuntu, S/Key and OPIE

Been looking for a simple way to enabling  S/Key support in Linux. Once I found out the magical keyboards being OPIE and PAM it became almost trivial to allow ssh-logins using One Time Passwords (OTP).

The following instructions are specifically written to apply on Debian and Ubuntu. On a general note the concept should work on any Linux system using OpenSSH and PAM.

First of all you should install the package opie-server. It will give you the necessary PAM-module and some accompanying tools.

Now edit /etc/pam.d/ssh, remove (comment) the inclusion of common-auth, and add these lines.

auth       sufficient pam_unix.so
auth       sufficient pam_opie.so
auth       required  pam_deny.so

If you only want allow OTP-logins; this line will do.

auth       required   pam_opie.so

Next it’s time to edit /etc/ssh/sshd_config.

ChallengeResponseAuthentication yes

That’s it. Restart your sshd and it will be ready to accept OTP-logins. To initialize a user; run opiepasswd (equivivalent of keyinit). Responses are generated using opiekey.

Client-side it’s usually enough to install the package opie-client.

Attending USENIX ‘08

About this time next month I’ll be at USENIX ’08. It will be my first real conference. I got the news today. I’m really excited about it.

line_removal.pl (known_hosts)

Manually removing entries from your known_hosts doesn’t take my of an effort. Still, it’s something you can grow tired of. Especially so after resent events (DSA-1571). That is why I’ve now written my very own line_removal.pl  script.

Basically you feed the script one or more line numbers. Corresponding lines in your ~/.ssh/known_hosts will then be deleted.

andreas@leto:~$ ./line_removal.pl 22
Removing line #22 from /home/andreas/.ssh/known_hosts

andreas@leto:~$ ./line_removal.pl 3 37 29
Removing line #37 from /home/andreas/.ssh/known_hosts
Removing line #29 from /home/andreas/.ssh/known_hosts
Removing line #3 from /home/andreas/.ssh/known_hosts

To be honest I really don’t know if I’ll ever use this script against more than one line at a time. Somehow it still seemed wrong not to support the option of feeding it multiple arguments.

Regular expressions, the t-shirt

Today I got my order from the xkcd store. Among other things it included a t-shirt based on xkcd #208. It says:

/ Everybody stand back /

I know regular expressions

Of course, there is always the question when I’ll actually be able to wear it. Considering some of the colleagues I have it’s probably a good idea if I spend some quality time with my copy of Mastering Regular Expressions (O’Reilly) before I bring the t-shirt to work.