opie-2.4: description + notes

"One-time Passwords In Everything" (OPIE) is a freely distributable software package originally developed at and for the US Naval Research Laboratory (NRL). Recent versions are the result of a cooperative effort between of NRL, several of the original NRL authors, The Inner Net, and many other contributors from the Internet community.

OPIE is an implementation of the One-Time Password (OTP) System that is being considered for the Internet standards-track. OPIE provides a one-time password system. The system should be secure against the passive attacks now commonplace on the Internet (see RFC 1704 for more details). The system is vulnerable to active dictionary attacks, though these are not widespread at present and can be detected through proper use of system audit software.

OPIE is primarily written for UNIX-like operating systems, but work is underway to make applicable portions portable to other operating systems. The OPIE software is derived in part from and is fully interoperable with the Bell Communications Research (Bellcore) S/Key Release 1 software. Because Bellcore claims "S/Key" as a trademark for their software, NRL was forced to use a different name (they picked "OPIE") for this software distribution.

By default this package only installs the tools used to access an opie-protected system. If you wish to install OPIE authentication on a server you will need to take some additional steps:

  1. Install fw_opie.src.opie and convince yourself that the privileged code is safe.
  2. Install the non-default fw_opie.sw.opie_server (and fw_opie.man.opie_server) subsystems in this package.
  3. Edit /etc/default/login to specify opieauth as your SITECHECK program. Note that sitecheck programs must be executable, owned by root, and not writable by anyone else.
  4. Optionally edit /etc/opieaccess to specify which networks are permitted to login using regular password authentication. This is a security risk!
  5. Setup local procedures to ensure that all users with login access to the protected machine have opie passwords. (You may wish to replace opiepasswd with a script the does rsh to the server, and distribute that script to other machines.)
  6. You may optionally replace the standard su and ftpd programs with OPIE equivalents, but note that the OPIE versions are not derived from IRIX source. They do not support IRIX 6.5 capability-based privileges or other IRIX extensions. As distributed in this package, opieftpd does not permit anonymous logins, and opiesu will switch to disabled accounts.

The contributed scripts opieprint and tkopiekey are included with this distribution.

To auto-install this package, go back and click on the respective install icon.