A Go package and command-line interface to generate OPIE (One-time Passwords In Everything) challenge responses.
opiekey, but written in Go! S/KEY authentication like it's 1996
$ opiekey 499 testseed testpassphrase
LAIR FUME GIBE FROM JIG COP
$ opiekey 499 testseed
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
LAIR FUME GIBE FROM JIG COP
$ OPIE_PASSPHRASE="testpassphrase" opiekey 499 testseed
LAIR FUME GIBE FROM JIG COP
$ opiekey --version
opiekey version 1.0.0 linux/amd64
package main
import "fmt"
import "github.com/arcanericky/opiekey"
func main() {
fmt.Println(opiekey.ComputeWordResponse(499, "testseed" "testpassphrase", opiekey.MD5))
}
$ opiekey --help
opiekey - Program for computing responses to OTP challenges.
opiekey takes the optional count of the number of responses to print
along with a (maximum) sequence number, seed and optional secret pass
phrase as command line args then produces an OPIE response as six
words or hexadecimal numbers. If the OPIE_PASSPHRASE environment
variable is set it will be used for the secret pass phrase. If no
secret pass phrase was specified as a command line argument or
environment variable, the program will prompt for it.
Usage:
opiekey sequence_number seed passphrase [flags]
Flags:
-h, --help help for opiekey
-x, --hex output the OTPs as hexadecimal numbers instead of six words
-4, --md4 selects MD4 as the response generation algorithm
-5, --md5 selects MD5 as the response generation algorithm (default true)
-n, --number int the number of one time access passwords to print (default 1)
-s, --sha1 selects SHA1 as the response generation algorithm
--version version for opiekey
A particular OPIE implementation might limit the value of the sequence number and the characters and lengths of the seed and passphrase. Neither this utility or package validate this data.
The utility and package support the MD5 and MD4 algorithms.
The SHA1 implementation is questionable and probably doesn't produce correct output.
The output of this opiekey utility was tested against the output of the now obsolete opie-client 2.40 Ubuntu package. The word list was lifted from the integer-word translation dictionary in the btoe.c module of the same package and documented as part of RFC-2289. Most of my comprehension of the OPIE algorithm came from ruby-otp so this translation may not be ideal, but it produces the results I require.
My day job has deployed a few machines that require responses to OPIE challenges for logins. I very rarely need to login to these machines, but when I do, it's a pain to find an opiekey utility, mobile device app, or web page to generate these responses. I finally decided to code up a small library and utility that can run on most any OS I'm using. This very basic package and utility is the result.
The OPIE Authentication System is a dinosaur and its usage is rapidly dwindling. Listed below are a few useful resources, noting that I don't endorse, recommmend, or support any executables you dare to run:
- A copy of the OPIE archive including programs for various operating systems and a README
- FreeBSD's OPIE implementation
- OPIE host setup
- Source for OTPDroid
- Old OPIEKey Android app
- Source for the defunct OPIE 2.40 for Ubuntu