summaryrefslogtreecommitdiffstats
path: root/crypto/kerberosIV/doc/otp.texi
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/kerberosIV/doc/otp.texi')
-rw-r--r--crypto/kerberosIV/doc/otp.texi127
1 files changed, 127 insertions, 0 deletions
diff --git a/crypto/kerberosIV/doc/otp.texi b/crypto/kerberosIV/doc/otp.texi
new file mode 100644
index 0000000..0a5929f
--- /dev/null
+++ b/crypto/kerberosIV/doc/otp.texi
@@ -0,0 +1,127 @@
+@node One-Time Passwords, Resolving frequent problems, How to set up a realm, Top
+@chapter One-Time Passwords
+
+@cindex OTP
+@cindex One time passwords
+There is also support for using @dfn{one time passwords} (OTP) in this
+package. Specifically @code{login}, @code{ftpd}, and @code{popper} have
+support for using them.
+
+@menu
+* What are one time passwords?::
+* When to use one time passwords?::
+* Configuring OTPs::
+@end menu
+
+@node What are one time passwords?, When to use one time passwords?, One-Time Passwords, One-Time Passwords
+@comment node-name, next, previous, up
+@section What are one time passwords?
+
+One time passwords are, as the name implies, passwords that can only
+be used once. This means that even if someone is eavesdropping on the
+network, they will not be able to make use of the passwords they steal.
+
+The OTPs used in this package support @cite{RFC 1938}. This standard is
+also backwards compatible with the well-known S/Key. There are lots of
+programs for generating these on everything from HP 48's to Crays.
+@cindex S/Key
+
+@node When to use one time passwords?, Configuring OTPs, What are one time passwords?, One-Time Passwords
+@comment node-name, next, previous, up
+@section When to use one time passwords?
+
+Why would you want to use OTPs instead of Kerberos? The advantage of
+OTPs is that they don't require a computer to operate. You can print
+out a list of passwords and take with you, or you could use your
+calculator or hand-held computer to generate them.
+
+The downside is that they only protect you against passive attacks.
+Only the initial connection is authenticated. After that, anyone can
+eavesdrop on your session, so you should not send or view any sensitive
+data (e.g. passwords) over a OTP-initiated link. You are also
+vulnerable to active attacks where intruders try to take over your
+TCP-session and/or introduce data in the middle of it. In other words,
+they provide initial authentication, but neither integrity nor
+confidentiality.
+
+The OTPs are generated from the tuple (@var{seed}, @var{sequence
+number}, @var{pass-phrase}). The seed and the sequence number will be
+printed as part of the @dfn{challenge} and you will have to generate the
+corresponding password or pick it from a list.
+
+In conclusion, they are simple and can be used everywhere but don't
+protect against all threats that Kerberos does. Use them when you can't
+use Kerberos.
+
+@node Configuring OTPs, , When to use one time passwords?, One-Time Passwords
+@comment node-name, next, previous, up
+@section Configuring OTPs
+
+@heading Initializing
+
+To initialize your OTPs use the @code{otp} program. This program will
+write an entry in a local file on this host with your current password
+(in this case the 100th) and the corresponding seed (@samp{foobar}).
+@pindex otp
+
+@example
+@cartouche
+datan:>otp 100 foobar
+Pass-phrase: <pass-phrase>
+Verifying password Pass-phrase: <pass-phrase>
+@end cartouche
+@end example
+
+@heading Generating
+
+To print out a list of them there is a program called
+@code{otpprint}.
+@pindex otpprint
+
+@example
+@cartouche
+datan:>otpprint 100 foobar
+Pass-phrase: <pass-phrase>
+91: SLAM BUY SUP DUSK SKY BEST
+92: DEEM SIGH ROB RASH JUG MAT
+93: DUET FISK HERS AREA TOLL SUP
+94: WOW RAIN LEAK SARA MARK WING
+95: COG YELL MILK CART ABE BAWL
+96: GROW SILK GIST OMEN CAM ANNE
+97: JAG QUAD NUT BEAT BHOY MAGI
+98: ADAM USED GENE NIP EYE SIS
+99: MY SUNG HERO AT DASH RAKE
+100: CORN KNIT BOTH TOGO SOUL BOG
+@end cartouche
+@end example
+
+@heading Using the OTPs
+
+When you try to use one and have initialized a series of
+one-time passwords for yourself you will get a challenge with the
+algorithm being used, the sequence number, and the seed. Enter those in
+your generator or find the corresponding password in your list.
+
+@example
+@cartouche
+login: assar
+assar's [ otp-md5 99 foobar ] Password: <MY SUNG HERO AT DASH RAKE>
+@end cartouche
+@end example
+
+The sequence number of the password will start at one less that the
+number you gave to @code{otp} and decrease by one every time you use it.
+You should try to keep track of which should be the current one so that
+you can be assured that nobody has stolen some of your passwords and
+used them. When the number has reached zero you need to acquire a new
+series of passwords.
+
+Once you have initialized your series of passwords, you can always use
+them at any password prompt where you get the challenge as shown above.
+
+@heading Configuring servers
+
+@code{ftpd}, @code{telnetd}, and @code{popper} can be configured to
+require one-time passwords when the connection has not been kerberos
+authenticated. Check the man pages for these programs for the correct
+options.
OpenPOWER on IntegriCloud