11 April 2013

385. OTPW -- connecting from an insecure computer using one-time passwords

I got inspired to look into this by this post: http://www.linuxjournal.com/content/configuring-one-time-password-authentication-otpw

The idea of one time passwords  is fairly simple -- even if someone manages to keylog your password (or see you type it in) it will be useless to them, as it can only be used once.

The implementation is also fairly simple: if you divide a password in half, and only let one half be static (the prefix) and the other half come from a pre-agreed list (the suffix), you can have a secure way of changing your password in a practical way.

Let's say that I decide that the static, prefix part should be 'ice' and that we make a pre-agreed list of suffices that we can use to make passwords:
001. box
002. flower
003. icle
004. skating
005. fishing

You should print this list and keep it reasonably safe. Without the prefix it is not useful. Likewise, any keylogger on a compromised computer will find out the prefix, but it will be useless without the suffix list. So keep that it in mind -- make sure that no-one gets hold of both.

You then try to log in via ssh from a remote client, and you get prompted for password 004 -- this means that the password you need to use is iceskating.

In real-world applications the suffixes are random, and not at all related to the prefix. Also, once the list has been generated it is not stored (so you better print it) -- only the hashes or the complete passwords are.

Note that the choice isn't really between OTPW and regular static password -- you can use both, just like you can use SSH with both key and password.



Set up
http://www.linuxjournal.com/content/configuring-one-time-password-authentication-otpw?page=0,2 deals with a number of different use scenarios. I'm only interested in enabling OTPW for remote SSH at this stage i.e. local login is using static passwords by default.

(if you're travelling with a laptop you may consider using OTPW for everything)

You need libpam-otpw. In addition, otpw-bin is useful for generating the suffix/hash list.
sudo apt-get install libpam-otpw otpw-bin

Generate a list of hashes and suffices:
otpw-gen|tee otpw.list

Print the list and delete it afterwards.

You now have a ~/.otpw file filled with hashes.

Create /etc/pam.d/ssh-otpw.
auth sufficient pam_otpw.so session optional pam_otpw.so

and edit /etc/pam.d/sshd -- include the ssh-otpw file immediately before common-auth to set the order of log in methods.
auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale @include ssh-otpw @include common-auth account required pam_nologin.so @include common-account @include common-session session optional pam_motd.so motd=/run/motd.dynamic noupdate session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so @include common-password
This way, if there's a ~/.otpw file you'll first be prompted for a one-time password. Otherwise that option will be skipped, so users with and without OTPW can co-exist happily.
In /etc/ssh/sshd_config, set
ChallengeResponseAuthentication yes
and make sure that UsePrivilegeSeparation and UsePAM are also set to yes (should be on Debian Wheezy).
sudo service ssh restart

and that's it!

Testing
To test, use a different computer and try to log in. I've got all my local computers set up to use keys to log in, so I had to to
ssh -o PubKeyAuthentication=no me@beryllium
Password 267:
In my list, 267 was given as
dfuF XE+L
so (pretending that my prefix was ice) my password was icedfuFXE+L.
If you answer that challenge wrong, you'll be asked for your static password instead. If you want to keep that secret, then interrupt the connection and retry.

Easy!

Once you start running out of password, run otpw-gen again for a new list.

384. Another (vaguely) TeX-related headache

The error
ps2pdf wasn't working on one of my .ps files (generated from a .tex file by texmaker). When I try to print the .ps file, it also shows up as having 197 pages, instead of 85 pages, which is what is has and what is seen in e.g. evince.

ps2pdf gives
Error: /syntaxerror in -file-
Operand stack:

Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1910   1   3   %oparray_pop   1909   1   3   %oparray_pop   1893   1   3   %oparray_pop   1787   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push
Dictionary stack:
   --dict:1164/1684(ro)(G)--   --dict:4/20(G)--   --dict:101/200(L)--   --dict:215/300(L)--   --dict:90/200(L)--   --dict:57/75(L)--   --dict:211/313(L)--   --dict:72/140(L)--   --dict:0/10(G)--   --dict:0/10(L)--   --dict:6/50(ro)(G)--   --dict:56/71(L)--
Current allocation mode is local
Last OS error: No such file or directory
Current file position is 86139456
GPL Ghostscript 9.05: Unrecoverable error, exit code 1

And I have no idea where to start troubleshooting...the file position error is not terribly helpful given that the file only has 2010146 lines. So I commented everything, then slowly uncommented everything.

And it was a bit more complex than I thought -- this is the smallest section of code I could use to reproduce the error (note that the two frames are about 30 pages apart in the original):


[preamble]
\begin{document}
\begin{frame}{A frame}
\begin{table}
 \begin{tabular}{l r}
 \includegraphics[width=4cm]{images/figure_1.eps} & \pause
 \includegraphics[width=3.5cm]{img/folder_1/figure_2.eps} 
 \end{tabular}
\end{table}
\small{
\begin{itemize}
\item Blah blah blah
\item Blah Blah?
\end{itemize}
}
\end{frame}

\begin{frame}{Another frame}
 \small{Blah blahdi blah}\\
 \begin{center}
 \begin{table}
 \begin{tabular}{c c}
 \includegraphics[width=5cm]{img/folder_1/figure_3.eps} &
 \includegraphics[width=5cm]{img/folder_1/figure_4.eps} \\
 {\sc Caption} & Caption
 \end{tabular}
 \end{table}
 \end{center}
\end{frame}

\end{document}

The error was only apparent if both figure_2.eps and figure_3.eps were requested -- somehow those two files didn't like each other. I had made figure_2.eps myself (povray -> png -> eps), but a collaborator had sent me figure_3.eps, which was made using Bruker Topspin (a stacked plot of NMR spectra)

The fix:
I fixed it by opening figure_3.eps in inkscape and saving it again

bad.eps is figure_3 before re-saving it, good.eps is figure_3 after re-saving it:

me@beryllium:~/work/manuscripts/Talks/Australie/img/folder_1$ head -n 20 bad.eps 
���� X�+x�+ ��%!PS-Adobe-3.1 EPSF-3.0 %ADO_DSC_Encoding: Windows Roman %%Title: 72_tempbw.eps %%Creator: Adobe Illustrator(R) 15.1 %%For: Collaborator %%CreationDate: 9/12/2012 %%BoundingBox: 0 0 633 359 %%HiResBoundingBox: 0 0 632.8331 358.5000 %%CropBox: 0 0 632.8331 358.5000 %%LanguageLevel: 2 %%DocumentData: Clean7Bit %ADOBeginClientInjection: DocumentHeader "AI11EPS" %ADO_ContainsXMP: MainFirstustrator(R) 15.1.0 x39 R agm 4.5189 ct 5.1875 %ADOEndClientInjection: DocumentHeader "AI11EPS" %%Pages: 1 %%DocumentNeededResources: %%DocumentSuppliedResources: procset Adobe_AGM_Image 1.0 0 %%+ procset Adobe_CoolType_Utility_T42 1.0 0 %%+ procset Adobe_CoolType_Utility_MAKEOCF 1.23 0 %%+ procset Adobe_CoolType_Core 2.31 0
me@beryllium:~/work/manuscripts/Talks/Australia/img/folder_1$ head -n 20 good.eps
%!PS-Adobe-3.0 EPSF-3.0 %%Creator: cairo 1.12.2 (http://cairographics.org) %%CreationDate: Thu Apr 11 11:36:28 2013 %%Pages: 1 %%DocumentData: Clean7Bit %%LanguageLevel: 2 %%BoundingBox: 0 -1 633 359 %%EndComments %%BeginProlog save 50 dict begin /q { gsave } bind def /Q { grestore } bind def /cm { 6 array astore concat } bind def /w { setlinewidth } bind def /J { setlinecap } bind def /j { setlinejoin } bind def /M { setmiterlimit } bind def /d { setdash } bind def /m { moveto } bind def
I had another couple of files which caused the same issue -- all of which originally came from Bruker Topspin (XWinNMR). Re-saving them in inkscape solved the issues.

I still don't understand why figure_1 had to be present though.

09 April 2013

382. Briefly: fixing pdfstudio's leftover crud

I didn't like pdfstudio (http://verahill.blogspot.com.au/2013/02/338-annotating-pdfs-in-linux-revisited.html), not least because it's stuck in a microsoft world of 'basic' and 'pro' versions i.e. artificial crippling. I promptly got rid of it, but it has been lingering on my system like a bad relationship:
dpkg: warning: parsing file '/var/lib/dpkg/available' near line 94935 package 'pdfstudio': missing description

The simplest, most radical fix is to do
sudo dpkg --clear-avail
sudo apt-get update