Skip to content


After travelling around Mexico and logging into my mail server from random machines, my paranoia has turned me to looking at one-time passwords. Here's a brief rundown of what I went through to set it up on Ubuntu.

On a local secure machine (laptop/PDA):

  1. apt-get install opie-client
  2. Think up a secret passphrase between 10 and 127 characters long.

On the server:

  1. apt-get install libpam-opie opie-server
  2. As per /usr/share/doc/libpam-opie/README.Debian, I edited /etc/pam.d/ssh and replaced the line
    @include common-auth
    auth	sufficient
    auth 	sufficient
    auth	required
  3. Enable ChallengeResponseAuthentication yes in /etc/ssh/sshd_config.
  4. As the user on the server, run opiepasswd. This will give you a challenge that you need to answer by running opiekey or otp-md5 on a local (secure) machine.
    server% opiepasswd
    Adding bernard:
    You need the response from an OTP generator.
    New secret pass phrase:
            otp-md5 499 so9449
    client% otp-md5 499 so9449
    Using the MD5 algorithm to compute response.
    Reminder: Don't use opiekey from telnet or dial-in sessions.
    Enter secret pass phrase: ***************
    And now pass LIEU FOLK GULL WALL TASK AN back to the opiepasswd command.

Now when you log into the server with ssh, you should be greeted with something like:

insecure% ssh server
otp-md5 498 so9449 ext, Response:
where you respond by running otp-md5 498 so9449 on your local secure machine, entering your secret passphrase, and punch in the response back to the server. If the server rejects it, double-check you didn't mess up your secret passphrase. There are no other warnings or errors if you do!

The sequence number will decrement towards 0, each time a challenge is used. So if you're going travelling without your PDA, you could pre-generate your one-time passwords, print them out and stick them in your wallet (assuming you trust your wallet).

Et voila.