os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Complete the coverage of OPIE

Browse source
This commit is contained in:
Christian Brueffer 2003-05-16 23:26:32 +00:00
parent 3a79e04181
commit a462f60922
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=16929
1 changed files with 42 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -1323,8 +1323,9 @@ Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ... </screen>
<para>Sometimes you have to go places where you do not have <para>Sometimes you have to go places where you do not have
access to a trusted machine or secure connection. In this case, access to a trusted machine or secure connection. In this case,
it is possible to use the <command>key</command> command to it is possible to use the <command>key</command> and
generate a number of one-time passwords before hand to be printed <command>opiekey</command> commands to
generate a number of one-time passwords beforehand to be printed
out and taken with you. For example:</para> out and taken with you. For example:</para>
<screen>&prompt.user; <userinput>key -n 5 30 zz99999</userinput> <screen>&prompt.user; <userinput>key -n 5 30 zz99999</userinput>
@ -1336,6 +1337,18 @@ Enter secret password: <userinput>&lt;secret password&gt;</userinput>
29: COT MASH BARR BRIM NAN FLAG 29: COT MASH BARR BRIM NAN FLAG
30: CAN KNEE CAST NAME FOLK BILK</screen> 30: CAN KNEE CAST NAME FOLK BILK</screen>
<para>Or for OPIE:</para>
<screen>&prompt.user; <userinput>opiekey -n 5 30 zz99999</userinput>
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
26: JOAN BORE FOSS DES NAY QUIT
27: LATE BIAS SLAY FOLK MUCH TRIG
28: SALT TIN ANTI LOON NEAL USE
29: RIO ODIN GO BYE FURY TIC
30: GREW JIVE SAN GIRD BOIL PHI</screen>
<para>The <option>-n 5</option> requests five keys in sequence, the <para>The <option>-n 5</option> requests five keys in sequence, the
<option>30</option> specifies what the last iteration number <option>30</option> specifies what the last iteration number
should be. Note that these are printed out in should be. Note that these are printed out in
@ -1350,7 +1363,7 @@ Enter secret password: <userinput>&lt;secret password&gt;</userinput>
<sect2> <sect2>
<title>Restricting Use of Unix Passwords</title> <title>Restricting Use of Unix Passwords</title>
<para>Restrictions can be placed on the use of Unix passwords based <para>S/Key can place restrictions on the use of Unix passwords based
on the host name, user name, terminal port, or IP address of a on the host name, user name, terminal port, or IP address of a
login session. These restrictions can be found in the login session. These restrictions can be found in the
configuration file <filename>/etc/skey.access</filename>. The configuration file <filename>/etc/skey.access</filename>. The
@ -1359,15 +1372,16 @@ Enter secret password: <userinput>&lt;secret password&gt;</userinput>
aware of before depending on this file for security.</para> aware of before depending on this file for security.</para>
<para>If there is no <filename>/etc/skey.access</filename> file <para>If there is no <filename>/etc/skey.access</filename> file
(this is the FreeBSD default), then all users will be allowed to (this is the default on FreeBSD 4.x systems), then all users will
use Unix passwords. If the file exists, however, then all users be allowed to use Unix passwords. If the file exists, however,
will be required to use S/Key unless explicitly permitted to do then all users will be required to use S/Key unless explicitly
otherwise by configuration statements in the permitted to do otherwise by configuration statements in the
<filename>skey.access</filename> file. In all cases, Unix <filename>skey.access</filename> file. In all cases, Unix
passwords are permitted on the console.</para> passwords are permitted on the console.</para>
<para>Here is a sample configuration file which illustrates the <para>Here is a sample <filename>skey.access</filename> configuration
three most common sorts of configuration statements:</para> file which illustrates the three most common sorts of configuration
statements:</para>
<programlisting>permit internet 192.168.0.0 255.255.0.0 <programlisting>permit internet 192.168.0.0 255.255.0.0
permit user fnord permit user fnord
@ -1390,6 +1404,25 @@ permit port ttyd0</programlisting>
<para>The third line (<literal>permit port</literal>) allows all <para>The third line (<literal>permit port</literal>) allows all
users logging in on the specified terminal line to use Unix users logging in on the specified terminal line to use Unix
passwords; this would be used for dial-ups.</para> passwords; this would be used for dial-ups.</para>
<para>OPIE can restrict the use of Unix passwords based on the IP
address of a login session just like S/Key does. The relevant file
is <filename>/etc/opieaccess</filename>, which is present by default
on FreeBSD 5.0 and newer systems. Please check &man.opieaccess.5;
for more information on this file and which security considerations
you should be aware of when using it.</para>
<para>Here is a sample <filename>opieaccess</filename> file:</para>
<programlisting>permit 192.168.0.0 255.255.0.0</programlisting>
<para>This line allows users whose IP source address (which is
vulnerable to spoofing) matches the specified value and mask,
to use Unix passwords at any time.</para>
<para>If no rules in <filename>opieaccess</filename> are matched,
the default is to deny non-OPIE logins.</para>
</sect2> </sect2>
</sect1> </sect1>