@node One-Time Passwords, Resolving frequent problems, How to set up a realm, Top @chapter One-Time Passwords @cindex OTP @cindex One time passwords There is also support for using @dfn{one time passwords} (OTP) in this package. Specifically @code{login}, @code{ftpd}, and @code{popper} have support for using them. @menu * What are one time passwords?:: * When to use one time passwords?:: * Configuring OTPs:: @end menu @node What are one time passwords?, When to use one time passwords?, One-Time Passwords, One-Time Passwords @comment node-name, next, previous, up @section What are one time passwords? One time passwords are, as the name implies, passwords that can only be used once. This means that even if someone is eavesdropping on the network, they will not be able to make use of the passwords they steal. The OTPs used in this package support @cite{RFC 1938}. This standard is also backwards compatible with the well-known S/Key. There are lots of programs for generating these on everything from HP 48's to Crays. @cindex S/Key @node When to use one time passwords?, Configuring OTPs, What are one time passwords?, One-Time Passwords @comment node-name, next, previous, up @section When to use one time passwords? Why would you want to use OTPs instead of Kerberos? The advantage of OTPs is that they don't require a computer to operate. You can print out a list of passwords and take with you, or you could use your calculator or hand-held computer to generate them. The downside is that they only protect you against passive attacks. Only the initial connection is authenticated. After that, anyone can eavesdrop on your session, so you should not send or view any sensitive data (e.g. passwords) over a OTP-initiated link. You are also vulnerable to active attacks where intruders try to take over your TCP-session and/or introduce data in the middle of it. In other words, they provide initial authentication, but neither integrity nor confidentiality. The OTPs are generated from the tuple (@var{seed}, @var{sequence number}, @var{pass-phrase}). The seed and the sequence number will be printed as part of the @dfn{challenge} and you will have to generate the corresponding password or pick it from a list. In conclusion, they are simple and can be used everywhere but don't protect against all threats that Kerberos does. Use them when you can't use Kerberos. @node Configuring OTPs, , When to use one time passwords?, One-Time Passwords @comment node-name, next, previous, up @section Configuring OTPs @heading Initializing To initialize your OTPs use the @code{otp} program. This program will write an entry in a local file on this host with your current password (in this case the 100th) and the corresponding seed (@samp{foobar}). @pindex otp @example @cartouche datan:>otp 100 foobar Pass-phrase: Verifying password Pass-phrase: @end cartouche @end example @heading Generating To print out a list of them there is a program called @code{otpprint}. @pindex otpprint @example @cartouche datan:>otpprint 100 foobar Pass-phrase: 91: SLAM BUY SUP DUSK SKY BEST 92: DEEM SIGH ROB RASH JUG MAT 93: DUET FISK HERS AREA TOLL SUP 94: WOW RAIN LEAK SARA MARK WING 95: COG YELL MILK CART ABE BAWL 96: GROW SILK GIST OMEN CAM ANNE 97: JAG QUAD NUT BEAT BHOY MAGI 98: ADAM USED GENE NIP EYE SIS 99: MY SUNG HERO AT DASH RAKE 100: CORN KNIT BOTH TOGO SOUL BOG @end cartouche @end example @heading Using the OTPs When you try to use one and have initialized a series of one-time passwords for yourself you will get a challenge with the algorithm being used, the sequence number, and the seed. Enter those in your generator or find the corresponding password in your list. @example @cartouche login: assar assar's [ otp-md5 99 foobar ] Password: @end cartouche @end example The sequence number of the password will start at one less that the number you gave to @code{otp} and decrease by one every time you use it. You should try to keep track of which should be the current one so that you can be assured that nobody has stolen some of your passwords and used them. When the number has reached zero you need to acquire a new series of passwords. Once you have initialized your series of passwords, you can always use them at any password prompt where you get the challenge as shown above. @heading Configuring servers @code{ftpd}, @code{telnetd}, and @code{popper} can be configured to require one-time passwords when the connection has not been kerberos authenticated. Check the man pages for these programs for the correct options.