os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Complete the coverage of OPIE

Browse source
This commit is contained in:
Christian Brueffer 2003-05-16 23:26:32 +00:00
parent 3a79e04181
commit a462f60922
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=16929
1 changed files with 42 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -1323,8 +1323,9 @@ Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... </screen>
<para>Sometimes you have to go places where you do not have
access to a trusted machine or secure connection. In this case,
it is possible to use the <command>key</command> command to
generate a number of one-time passwords before hand to be printed
it is possible to use the <command>key</command> and
<command>opiekey</command> commands to
generate a number of one-time passwords beforehand to be printed
out and taken with you. For example:</para>
<screen>&prompt.user; <userinput>key -n 5 30 zz99999</userinput>
@ -1336,6 +1337,18 @@ Enter secret password: <userinput>&lt;secret password&gt;</userinput>
29: COT MASH BARR BRIM NAN FLAG
30: CAN KNEE CAST NAME FOLK BILK</screen>
<para>Or for OPIE:</para>
<screen>&prompt.user; <userinput>opiekey -n 5 30 zz99999</userinput>
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
26: JOAN BORE FOSS DES NAY QUIT
27: LATE BIAS SLAY FOLK MUCH TRIG
28: SALT TIN ANTI LOON NEAL USE
29: RIO ODIN GO BYE FURY TIC
30: GREW JIVE SAN GIRD BOIL PHI</screen>
<para>The <option>-n 5</option> requests five keys in sequence, the
<option>30</option> specifies what the last iteration number
should be. Note that these are printed out in
@ -1350,7 +1363,7 @@ Enter secret password: <userinput>&lt;secret password&gt;</userinput>
<sect2>
<title>Restricting Use of Unix Passwords</title>
<para>Restrictions can be placed on the use of Unix passwords based
<para>S/Key can place restrictions on the use of Unix passwords based
on the host name, user name, terminal port, or IP address of a
login session. These restrictions can be found in the
configuration file <filename>/etc/skey.access</filename>. The
@ -1359,15 +1372,16 @@ Enter secret password: <userinput>&lt;secret password&gt;</userinput>
aware of before depending on this file for security.</para>
<para>If there is no <filename>/etc/skey.access</filename> file
(this is the FreeBSD default), then all users will be allowed to
use Unix passwords. If the file exists, however, then all users
will be required to use S/Key unless explicitly permitted to do
otherwise by configuration statements in the
(this is the default on FreeBSD 4.x systems), then all users will
be allowed to use Unix passwords. If the file exists, however,
then all users will be required to use S/Key unless explicitly
permitted to do otherwise by configuration statements in the
<filename>skey.access</filename> file. In all cases, Unix
passwords are permitted on the console.</para>
<para>Here is a sample configuration file which illustrates the
three most common sorts of configuration statements:</para>
<para>Here is a sample <filename>skey.access</filename> configuration
file which illustrates the three most common sorts of configuration
statements:</para>
<programlisting>permit internet 192.168.0.0 255.255.0.0
permit user fnord
@ -1390,6 +1404,25 @@ permit port ttyd0</programlisting>
<para>The third line (<literal>permit port</literal>) allows all
users logging in on the specified terminal line to use Unix
passwords; this would be used for dial-ups.</para>
<para>OPIE can restrict the use of Unix passwords based on the IP
address of a login session just like S/Key does. The relevant file
is <filename>/etc/opieaccess</filename>, which is present by default
on FreeBSD 5.0 and newer systems. Please check &man.opieaccess.5;
for more information on this file and which security considerations
you should be aware of when using it.</para>
<para>Here is a sample <filename>opieaccess</filename> file:</para>
<programlisting>permit 192.168.0.0 255.255.0.0</programlisting>
<para>This line allows users whose IP source address (which is
vulnerable to spoofing) matches the specified value and mask,
to use Unix passwords at any time.</para>
<para>If no rules in <filename>opieaccess</filename> are matched,
the default is to deny non-OPIE logins.</para>
</sect2>
</sect1>