I updated the Planet software that runs Dudeville tonight…  I can’t really see much difference, but the one that’s in Portage is two-three years old so I figured it needed updating.

I did occasionally get problems with repeated posts when viewing the Dudeville RSS feed in Akregator, but that hadn’t happened for a while.  Let’s see how this one goes…

Around the same time (actually while I was waiting for software updates and reboots of a bunch of systems for work) I made myself a hackergotchi.  Planet is adding it to my posts in both the HTML and RSS versions of Dudeville, and I’ll be adding it to the CSS for the blog too.  If you’re wondering what I’m talking about: hackergotchis are the little floating-head style pictures.  I think mine came up alright, considering the model…

I read a blog post via Planet Ubuntu not long ago about using OTPs.  I had looked at things like OPIE in the past, but the idea of carrying around a pre-generated list of passwords was not so encouraging.  I changed my mind when I saw that ingenious folks have written J2ME midlets for running the password generator on your phone!

I went looking at a couple of the generators mentioned in Soren’s article.  Freesafe looks very nice, with the ability to securely store the passphrases for a number of hosts separately.  It looks very nice and has a lot of features, but the developers have had to sacrifice the generation of the “six words” format of the one-time password.  Since you enter the OTP at a traditional no-echo prompt, the idea of entering a long OTP in hex digits was not appealing, so I kept looking.

Eventually I found one called vejotp (the similarity to my moniker is coincidental; I’m not associated with it at all!).  It remembers your passphrase and sequence number, so each time you need a OTP you just hit the “Go” button and it gives you the goods.  It only remembers the details of one server though — so if you have more than one system protected with one-time passwords, vejotp is not really for you (unless you like tapping out strong passphrases in predictive text!).

Soren’s post has more info about how he set it up on Ubuntu — for me it was as easy as adding the “skey” USE flag and re-emerging openssh, making sure that brought in the skey package if it wasn’t already there.  Then, I updated sshd_config to “ChallengeResponse yes” and “UsePAM no”, restarted sshd, and the setup was complete.  Each user would then run skeyinit to seed their OTP generation.

The nice thing is that passwordless login using SSH keys still works, so I can use the existing method of key-based login from inside the network, and OTP when I’m out-and-about.

Soren also describes a way to use OTP for mail access using IMAP and a utility called imapproxy.  Well worth the read!