1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
OPIE Software Distribution, Release 2.4 Installation Instructions
======================================= =========================
Did you read the README file?
If not, please go do so, then come back here. There is information in
the README file that you will probably need to know in order to build and use
OPIE, and you are better off doing it before you try to compile and install
it.
OPIE uses Autoconf to automagically figure out as much as possible
about your system. There are four steps to installing OPIE. Please read them
all first before attempting to do them.
1. Run the "configure" script.
Normally, you will need to type:
sh configure
If you would like to use an access file to allow users from some hosts
to log into your system without using OTPs (thus opening up a big security
hole, but a necessary evil for some sites), type:
sh configure --enable-access-file=/etc/opieaccess
If you'd like the file to go somewhere else, adjust this appropriately.
There are a number of configure-time options available for OPIE. You
probably don't want to change the defaults. To get a complete listing of the
currently available options, type:
sh configure --help
Some options that may be of interest are:
--enable-access-file=FILENAME: Enable the OPIE access file FILENAME
The OPIE access file provides a system administrator with the ability
to make the use of OTP optional for certain hosts. Note that individual
users can create a file named ".opiealways" in their home directory to
require that OTP be used to access to their account. Note also that the
access file is based on addresses, but many of the clients that use it
are only given hostnames. This opens this entire scheme up to DNS
spoofing attacks, which is a major security problem. ALWAYS use a
package such as tcp_wrappers configured to do paranoid checking on DNS
information if you enable this option (it's good practice anyway).
--enable-server-md4: Use MD4 instead of MD5 for the server
The old S/Key package used MD4 instead of MD5. MD4 is believed to be
less secure than MD5. Use this option only for compatibility with old
key files.
--disable-user-locking: Disable user locking
OPIE only allows one session at a time to attempt to authenticate a
principal; this prevents a possible race attack on OTP. This locking
mechanism can cause problems in some applications, in which case you
might want to disable the locking. This option also provides a work-
around if the locking code doesn't work reliably on your system.
--enable-user-locking[=DIR]: Put user lock files in DIR [/etc/opielocks]
The OPIE lock files need to be put in an isolated directory that is
only accessable by the super-user and has a parent directory that is
only writable by the super-user. If you are trying to use OPIE with
the key file shared by NFS, you need to make the lock directory
shared too. (But you read the README file, so you knew this)
--enable-retype: Ask users to re-type their secret pass phrases
On the one hand, this helps prevent users from having to go generate
an OTP, type it into a remote system, and then found out they
mistyped. On the other hand, it's annoying. If this is enabled, users
can simply hit return at the second prompt and the generator will skip
the retype check, which allows users who don't like the retype check
to mostly skip it.
--enable-su-star-check: Refuse to switch to disabled accounts
On many systems, an asterisk means one thing and one thing only: this
account is never meant for human users. Therefore, it doesn't make
much sense for anyone other than an attacker to try to su to that
account. Enabling this check causes su to refuse to switch to
accounts with an asterisk in their password field. While probably
better for security, this is not compatible with traditional *IX su
behavior, so it is disabled by default
--disable-new-prompts: Use more compatible (but less informative) prompts
OPIE uses login prompts that tell you exactly what kind of response
(an OTP response and/or a cleartext password) it expects you to give.
This can break automatic login scripts that look for 'Password:' as
the prompt for the password. If you have users that use such scripts,
you might want to disable the more informative responses so as not to
break those scripts.
--enable-insecure-override: Allow users to override insecure checks
While OPIE cannot determine whether or not a session is secure, it can
check for fairly common signs that it isn't secure. If it believes the
session is insecure, some programs like opiekey will refuse to run
because they prompt the user to send a secret pass phrase. Sometimes
these checks declare a session insecure when it is, and sometimes the
user wants to continue anyway even if the session is insecure. If this
option is enabled, many commands gain a '-f' option to force them to
operate even if OPIE thinks the session is insecure.
--enable-anonymous-ftp Enable anonymous FTP support
By default, the OPIE FTP daemon does not support anonymous FTP
service. The FTP daemon contains many security related bug fixes
relative to the original source, but bugs probably remain. It was not
intended to be used for anonymous FTP, where it is more open to the
commands of potentially hostile users. If you enable this option, it
will once again support anonymous FTP, but it probably isn't secure
when that way.
--disable-utmp Disable utmp logging
--disable-wtmp Disable wtmp logging
On some systems, logging to the utmp and/or wtmp files is just a lost
cause. If this is the case on your system, you might be better off
not having OPIE even try.
--enable-opieauto Enable support for opieauto
opieauto is a facility that caches an intermediate result of the OTP
generator so that a user-selected number of OTPs can be generated on
demand for each time the user types in the secret pass phrase. This
is great for user convenience, as typing a twenty or thirty character
secret pass phrase can be annoying. It can also be a minor security
hole (see the README for details).
2. Edit the Makefile
The Makefile contains some options that you may wish to modify. Also
verify that Autoconf chose the correct options for your system.
The Makefile created by Autoconf should be correct for most users
as-is.
3. Build OPIE
Normally, you will need to type:
make
If you only want to build the client programs, type:
make client
If you only want to build the server programs, type:
make server
4. Verify that OPIE works on your system and install
Normall, you will need to type:
make install
If you only want to install the client programs, type:
make client-install
If you only want to install the server programs, type:
make server-install
If you encounter any problems, you may be able to run "make uninstall"
to remove the OPIE software from your system and revert back to almost the
way things were before.
Copyright
=========
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this document are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
|
