Opie

From LQWiki
Jump to navigation Jump to search

There are two projects named Opie. The first is a one-time pad password authentication application, and the second is a PDA/SmartPhone desktop environment. I will briefly discuss each.

Opie, the Security tool

The first Opie project is One-time Passwords In Everything, and is based on S/KEY. These applications provide a secure password authentication method, and are especially useful on untrusted networks. Opie uses a one-way hashing algoritm to provide a set of passwords which can only be used one time. This prevents malicious parties from either sniffing the network or "shoulder surfing" to gain your password.

An Opie password consists of a passphrase, a seed and a sequence number. The generation process is done by issuing the opiepasswd command:

[storm@defiant ~]$ opiepasswd -f -c
Adding storm:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:

ID storm OTP key is 499 ri6665
JAVA AWAY HUG FLUB BALD HICK

Your passphrase is entered and verified, then the password generator creates a seed value (ri6665) and, by default, 500 password sets. In the example above, the password is JAVA AWAY HUG FLUB BALD HICK. Each password consists of six easy to type three-and four letter words.

Opie, once enabled through /etc/opieaccess, pam or other method (depending on your OS), will provide the seed and the sequence number, and the user must provide the password (not the passphrase). Each time a one-time password is used, the sequence will decrement by one. As the number of remaining passwords approaches zero, new passwords can be generated by running opiepasswd again.

All right, so you are on the outside of the machine running opie, trying to log in. How do you do it? There are a number of choices. Before you venture out, you can use the opiekey program with the -n <count> option to generate a number of passwords. These can be printed and carried in your wallet. The two risks ofthis approach are running out of passwords and the security risks inherent in carrying passwords around with you.

If you are on a trusted machine, you can run the opiekey program, omitting the -n <count> flag to generate a single password. You must insure that the machine you are running opiekey is trusted, because it will require your passphrase to generate a one-time password. The password output of opiekey is suitable for cutting and pasting into your remote machine's password prompt. There are equivalent versions of opiekey for most Unixes and Linuxes, DOS, Windows and Mac OS. There are also GUI OTP key generators, which are similar in function to opiekey. These include PilOTP for PalmOS and otpkeygen for the Sharp Zaurus.

Opie, the Desktop Environment

As if the one-time password generator isn't confusing enough, Opie is also the name of a Desktop (or Palmtop) environment. Open Palmtop Integrated Environment is a completely Open Source based graphical user environment and suite of applications for PDAs and other devices running Linux. It is included in various embedded Linux distributions such as OpenZaurus (Sharp Zaurus), Familiar (HP Ipaq) and OpenSIMpad (Siemens SIMpad).

Opie is a completely free and Open Source fork of Trolltech's QTopia operating environment, therefore Opie is, in a manner of speaking, a distant cousin of KDE, which is based on the QT libraries.

Opie ships with a number of native applications. These include Personal Information Management (PIM) apps, games, productivity tools, multimedia applications and others. In addition, it is easy to port desktop Linux applications to run on Opie.