summaryrefslogtreecommitdiffstats
path: root/contrib/opie/INSTALL
blob: db23f84a2b767107ac9d57d3e1fe49b5c5a453e0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
OPIE Software Distribution, Release 2.4               Installation Instructions
=======================================               =========================

	Did you read the README file?

	If not, please go do so, then come back here. There is information in
the README file that you will probably need to know in order to build and use
OPIE, and you are better off doing it before you try to compile and install
it.

	OPIE uses Autoconf to automagically figure out as much as possible
about your system. There are four steps to installing OPIE. Please read them
all first before attempting to do them.

1. Run the "configure" script.

	Normally, you will need to type:

	sh configure

	If you would like to use an access file to allow users from some hosts
to log into your system without using OTPs (thus opening up a big security
hole, but a necessary evil for some sites), type:

	sh configure --enable-access-file=/etc/opieaccess

	If you'd like the file to go somewhere else, adjust this appropriately.

	There are a number of configure-time options available for OPIE. You
probably don't want to change the defaults. To get a complete listing of the
currently available options, type:

	sh configure --help

	Some options that may be of interest are:

  --enable-access-file=FILENAME: Enable the OPIE access file FILENAME
    The OPIE access file provides a system administrator with the ability
    to make the use of OTP optional for certain hosts. Note that individual
    users can create a file named ".opiealways" in their home directory to 
    require that OTP be used to access to their account. Note also that the
    access file is based on addresses, but many of the clients that use it
    are only given hostnames. This opens this entire scheme up to DNS
    spoofing attacks, which is a major security problem. ALWAYS use a
    package such as tcp_wrappers configured to do paranoid checking on DNS
    information if you enable this option (it's good practice anyway).

  --enable-server-md4: Use MD4 instead of MD5 for the server
    The old S/Key package used MD4 instead of MD5. MD4 is believed to be
    less secure than MD5. Use this option only for compatibility with old
    key files.

  --disable-user-locking: Disable user locking
    OPIE only allows one session at a time to attempt to authenticate a
    principal; this prevents a possible race attack on OTP. This locking
    mechanism can cause problems in some applications, in which case you
    might want to disable the locking. This option also provides a work-
    around if the locking code doesn't work reliably on your system.

  --enable-user-locking[=DIR]: Put user lock files in DIR [/etc/opielocks]
    The OPIE lock files need to be put in an isolated directory that is
    only accessable by the super-user and has a parent directory that is
    only writable by the super-user. If you are trying to use OPIE with
    the key file shared by NFS, you need to make the lock directory
    shared too. (But you read the README file, so you knew this)

  --enable-retype: Ask users to re-type their secret pass phrases
    On the one hand, this helps prevent users from having to go generate
    an OTP, type it into a remote system, and then found out they
    mistyped. On the other hand, it's annoying. If this is enabled, users
    can simply hit return at the second prompt and the generator will skip
    the retype check, which allows users who don't like the retype check
    to mostly skip it.

  --enable-su-star-check: Refuse to switch to disabled accounts
    On many systems, an asterisk means one thing and one thing only: this
    account is never meant for human users. Therefore, it doesn't make
    much sense for anyone other than an attacker to try to su to that
    account. Enabling this check causes su to refuse to switch to
    accounts with an asterisk in their password field. While probably
    better for security, this is not compatible with traditional *IX su
    behavior, so it is disabled by default

  --disable-new-prompts: Use more compatible (but less informative) prompts
    OPIE uses login prompts that tell you exactly what kind of response
    (an OTP response and/or a cleartext password) it expects you to give.
    This can break automatic login scripts that look for 'Password:' as
    the prompt for the password. If you have users that use such scripts,
    you might want to disable the more informative responses so as not to
    break those scripts.

  --enable-insecure-override: Allow users to override insecure checks
    While OPIE cannot determine whether or not a session is secure, it can
    check for fairly common signs that it isn't secure. If it believes the
    session is insecure, some programs like opiekey will refuse to run
    because they prompt the user to send a secret pass phrase. Sometimes
    these checks declare a session insecure when it is, and sometimes the
    user wants to continue anyway even if the session is insecure. If this
    option is enabled, many commands gain a '-f' option to force them to
    operate even if OPIE thinks the session is insecure.

  --enable-anonymous-ftp  Enable anonymous FTP support
    By default, the OPIE FTP daemon does not support anonymous FTP
    service. The FTP daemon contains many security related bug fixes
    relative to the original source, but bugs probably remain. It was not
    intended to be used for anonymous FTP, where it is more open to the
    commands of potentially hostile users. If you enable this option, it
    will once again support anonymous FTP, but it probably isn't secure
    when that way.

  --disable-utmp          Disable utmp logging
  --disable-wtmp          Disable wtmp logging
    On some systems, logging to the utmp and/or wtmp files is just a lost
    cause. If this is the case on your system, you might be better off
    not having OPIE even try.

  --enable-opieauto       Enable support for opieauto
    opieauto is a facility that caches an intermediate result of the OTP
    generator so that a user-selected number of OTPs can be generated on
    demand for each time the user types in the secret pass phrase. This
    is great for user convenience, as typing a twenty or thirty character
    secret pass phrase can be annoying. It can also be a minor security
    hole (see the README for details).

2. Edit the Makefile

	The Makefile contains some options that you may wish to modify. Also
verify that Autoconf chose the correct options for your system.

	The Makefile created by Autoconf should be correct for most users
as-is.

3. Build OPIE

	Normally, you will need to type:

	make

	If you only want to build the client programs, type:

	make client

	If you only want to build the server programs, type:

	make server

4. Verify that OPIE works on your system and install

	Normall, you will need to type:

	make install

	If you only want to install the client programs, type:

	make client-install

	If you only want to install the server programs, type:

	make server-install

	If you encounter any problems, you may be able to run "make uninstall"
to remove the OPIE software from your system and revert back to almost the
way things were before.

Copyright
=========

%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.

Portions of this document are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
OpenPOWER on IntegriCloud