03656ac1b0
the "core" Kerberos functionality. The rest of the userland will get their own changes later.
128 lines
4.6 KiB
Plaintext
128 lines
4.6 KiB
Plaintext
@node One-Time Passwords, Resolving frequent problems, How to set up a realm, Top
|
|
@chapter One-Time Passwords
|
|
|
|
@cindex OTP
|
|
@cindex One time passwords
|
|
There is also support for using @dfn{one time passwords} (OTP) in this
|
|
package. Specifically @code{login}, @code{ftpd}, and @code{popper} have
|
|
support for using them.
|
|
|
|
@menu
|
|
* What are one time passwords?::
|
|
* When to use one time passwords?::
|
|
* Configuring OTPs::
|
|
@end menu
|
|
|
|
@node What are one time passwords?, When to use one time passwords?, One-Time Passwords, One-Time Passwords
|
|
@comment node-name, next, previous, up
|
|
@section What are one time passwords?
|
|
|
|
One time passwords are, as the name implies, passwords that can only
|
|
be used once. This means that even if someone is eavesdropping on the
|
|
network, they will not be able to make use of the passwords they steal.
|
|
|
|
The OTPs used in this package support @cite{RFC 1938}. This standard is
|
|
also backwards compatible with the well-known S/Key. There are lots of
|
|
programs for generating these on everything from HP 48's to Crays.
|
|
@cindex S/Key
|
|
|
|
@node When to use one time passwords?, Configuring OTPs, What are one time passwords?, One-Time Passwords
|
|
@comment node-name, next, previous, up
|
|
@section When to use one time passwords?
|
|
|
|
Why would you want to use OTPs instead of Kerberos? The advantage of
|
|
OTPs is that they don't require a computer to operate. You can print
|
|
out a list of passwords and take with you, or you could use your
|
|
calculator or hand-held computer to generate them.
|
|
|
|
The downside is that they only protect you against passive attacks.
|
|
Only the initial connection is authenticated. After that, anyone can
|
|
eavesdrop on your session, so you should not send or view any sensitive
|
|
data (e.g. passwords) over a OTP-initiated link. You are also
|
|
vulnerable to active attacks where intruders try to take over your
|
|
TCP-session and/or introduce data in the middle of it. In other words,
|
|
they provide initial authentication, but neither integrity nor
|
|
confidentiality.
|
|
|
|
The OTPs are generated from the tuple (@var{seed}, @var{sequence
|
|
number}, @var{pass-phrase}). The seed and the sequence number will be
|
|
printed as part of the @dfn{challenge} and you will have to generate the
|
|
corresponding password or pick it from a list.
|
|
|
|
In conclusion, they are simple and can be used everywhere but don't
|
|
protect against all threats that Kerberos does. Use them when you can't
|
|
use Kerberos.
|
|
|
|
@node Configuring OTPs, , When to use one time passwords?, One-Time Passwords
|
|
@comment node-name, next, previous, up
|
|
@section Configuring OTPs
|
|
|
|
@heading Initializing
|
|
|
|
To initialize your OTPs use the @code{otp} program. This program will
|
|
write an entry in a local file on this host with your current password
|
|
(in this case the 100th) and the corresponding seed (@samp{foobar}).
|
|
@pindex otp
|
|
|
|
@example
|
|
@cartouche
|
|
datan:>otp 100 foobar
|
|
Pass-phrase: <pass-phrase>
|
|
Verifying password Pass-phrase: <pass-phrase>
|
|
@end cartouche
|
|
@end example
|
|
|
|
@heading Generating
|
|
|
|
To print out a list of them there is a program called
|
|
@code{otpprint}.
|
|
@pindex otpprint
|
|
|
|
@example
|
|
@cartouche
|
|
datan:>otpprint 100 foobar
|
|
Pass-phrase: <pass-phrase>
|
|
91: SLAM BUY SUP DUSK SKY BEST
|
|
92: DEEM SIGH ROB RASH JUG MAT
|
|
93: DUET FISK HERS AREA TOLL SUP
|
|
94: WOW RAIN LEAK SARA MARK WING
|
|
95: COG YELL MILK CART ABE BAWL
|
|
96: GROW SILK GIST OMEN CAM ANNE
|
|
97: JAG QUAD NUT BEAT BHOY MAGI
|
|
98: ADAM USED GENE NIP EYE SIS
|
|
99: MY SUNG HERO AT DASH RAKE
|
|
100: CORN KNIT BOTH TOGO SOUL BOG
|
|
@end cartouche
|
|
@end example
|
|
|
|
@heading Using the OTPs
|
|
|
|
When you try to use one and have initialized a series of
|
|
one-time passwords for yourself you will get a challenge with the
|
|
algorithm being used, the sequence number, and the seed. Enter those in
|
|
your generator or find the corresponding password in your list.
|
|
|
|
@example
|
|
@cartouche
|
|
login: assar
|
|
assar's [ otp-md5 99 foobar ] Password: <MY SUNG HERO AT DASH RAKE>
|
|
@end cartouche
|
|
@end example
|
|
|
|
The sequence number of the password will start at one less that the
|
|
number you gave to @code{otp} and decrease by one every time you use it.
|
|
You should try to keep track of which should be the current one so that
|
|
you can be assured that nobody has stolen some of your passwords and
|
|
used them. When the number has reached zero you need to acquire a new
|
|
series of passwords.
|
|
|
|
Once you have initialized your series of passwords, you can always use
|
|
them at any password prompt where you get the challenge as shown above.
|
|
|
|
@heading Configuring servers
|
|
|
|
@code{ftpd}, @code{telnetd}, and @code{popper} can be configured to
|
|
require one-time passwords when the connection has not been kerberos
|
|
authenticated. Check the man pages for these programs for the correct
|
|
options.
|