svn commit: r44302 - head/en_US.ISO8859-1/books/handbook/security
Dru Lavigne
dru at FreeBSD.org
Thu Mar 20 19:05:41 UTC 2014
Author: dru
Date: Thu Mar 20 19:05:40 2014
New Revision: 44302
URL: http://svnweb.freebsd.org/changeset/doc/44302
Log:
Editorial review of first 1/2 of OPIE chapter.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Mar 20 17:14:40 2014 (r44301)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Mar 20 19:05:40 2014 (r44302)
@@ -620,75 +620,72 @@ Enter new password:</programlisting>
</indexterm>
<para>By default, &os; includes support for One-time Passwords In
- Everything (<acronym>OPIE</acronym>), which uses the MD5 hash by
+ Everything (<acronym>OPIE</acronym>). <acronym>OPIE</acronym>
+ is designed to prevent replay attacks, in which an attacker
+ discovers a user's password and uses it to access a system.
+ Since a password is only used once in <acronym>OPIE</acronym>, a
+ discovered password is of little use to an attacker.
+ <acronym>OPIE</acronym> uses a secure hash and a
+ challenge/response system to manage passwords. The &os;
+ implementation uses the <acronym>MD5</acronym> hash by
default.</para>
- <para>There are three different types of passwords. The first is
- the usual &unix; style or Kerberos password. The second is the
- one-time password which is generated by &man.opiekey.1; and
- accepted by &man.opiepasswd.1; and the login prompt. The final
- type of password is the <quote>secret password</quote> used by
- &man.opiekey.1;, and sometimes &man.opiepasswd.1;, to generate
- one-time passwords.</para>
-
- <para>The secret password has nothing to do with the &unix;
- password. They can be the same, but this is not recommended.
- <acronym>OPIE</acronym> secret passwords are not limited to 8
- characters like old &unix; passwords<footnote><para>Under &os;
- the standard login password may be up to 128 characters in
- length.</para></footnote>. Passwords of six or seven word
- long phrases are fairly common. For the most part, the
- <acronym>OPIE</acronym> system operates completely independently
- of the &unix; password system.</para>
+ <para><acronym>OPIE</acronym> uses three different types of passwords. The first is
+ the usual &unix; or Kerberos password. The second is the
+ one-time password which is generated by <command>opiekey</command>.
+ The third
+ type of password is the <quote>secret password</quote> which is used
+ to generate
+ one-time passwords. The secret password has nothing to do with,
+ and should be different from, the &unix;
+ password.</para>
- <para>Besides the password, there are two other pieces of data
+ <para>There are two other pieces of data
that are important to <acronym>OPIE</acronym>. One is the
<quote>seed</quote> or <quote>key</quote>, consisting of two
letters and five digits. The other is the <quote>iteration
count</quote>, a number between 1 and 100.
<acronym>OPIE</acronym> creates the one-time password by
- concatenating the seed and the secret password, applying the MD5
+ concatenating the seed and the secret password, applying the <acronym>MD5</acronym>
hash as many times as specified by the iteration count, and
- turning the result into six short English words. These six
- English words are the one-time password. The authentication
- system (primarily PAM) keeps track of the last one-time password
+ turning the result into six short English words which represent
+ the one-time password. The authentication
+ system keeps track of the last one-time password
used, and the user is authenticated if the hash of the
user-provided password is equal to the previous password.
Because a one-way hash is used, it is impossible to generate
future one-time passwords if a successfully used password is
captured. The iteration count is decremented after each
successful login to keep the user and the login program in sync.
- When the iteration count gets down to 1,
+ When the iteration count gets down to <literal>1</literal>,
<acronym>OPIE</acronym> must be reinitialized.</para>
<para>There are a few programs involved in this process.
- &man.opiekey.1; accepts an iteration count, a seed, and a secret
- password, and generates a one-time password or a consecutive
- list of one-time passwords. In addition to initializing
+ A one-time password, or a consecutive
+ list of one-time passwords, is generated by passing an iteration
+ count, a seed, and a secret
+ password to &man.opiekey.1;. In addition to initializing
<acronym>OPIE</acronym>, &man.opiepasswd.1; is used to change
- passwords, iteration counts, or seeds. It takes either a secret
- passphrase, or an iteration count, seed, and a one-time
- password. The relevant credential files in
+ passwords, iteration counts, or seeds. The relevant credential files in
<filename>/etc/opiekeys</filename> are examined by
&man.opieinfo.1; which prints out the invoking user's current
iteration count and seed.</para>
- <para>There are four different sorts of operations. The first is
- to use &man.opiepasswd.1; over a secure connection to set up
- one-time-passwords for the first time, or to change the password
- or seed. The second operation is to use &man.opiepasswd.1; over
- an insecure connection, in conjunction with &man.opiekey.1; over
- a secure connection, to do the same. The third is to use
- &man.opiekey.1; to log in over an insecure connection. The
- fourth is to use &man.opiekey.1; to generate a number of keys
- which can be written down or printed out to carry to insecure
- locations in order to make a connection to anywhere.</para>
+ <para>This section describes four different sorts of operations. The first is
+ how to set up
+ one-time-passwords for the first time
+ over a secure connection. The second is how to use <command>opiepasswd</command> over
+ an insecure connection. The third is how to
+ log in over an insecure connection. The
+ fourth is how to generate a number of keys
+ which can be written down or printed out to use at insecure
+ locations.</para>
<sect2>
- <title>Secure Connection Initialization</title>
+ <title>Initializing <acronym>OPIE</acronym></title>
<para>To initialize <acronym>OPIE</acronym> for the first time,
- execute &man.opiepasswd.1;:</para>
+ run this command from a secure location:</para>
<screen>&prompt.user; <userinput>opiepasswd -c</userinput>
[grimreaper] ~ $ opiepasswd -f -c
@@ -703,25 +700,38 @@ Again new secret pass phrase:
ID unfurl OTP key is 499 to4268
MOS MALL GOAT ARM AVID COED</screen>
- <para>At the <prompt>Enter new secret pass phrase:</prompt> or
- <prompt>Enter secret password:</prompt> prompt, enter a
- password or phrase. This is not the login password as this
- password is used to generate the one-time login keys. The
- <quote>ID</quote> line gives the parameters of the instance:
- the login name, iteration count, and seed. When logging in,
+ <para>The <option>-c</option> sets console mode which assumes
+ that the command is being run from a secure location, such as
+ a computer under the user's control or a
+ <acronym>SSH</acronym> session to a computer under the user's
+ control.</para>
+
+ <para>When prompted, enter the secret
+ password which will be
+ used to generate the one-time login keys. This password
+ should be difficult to guess and should be different than the
+ password which is associated with the user's login
+ account. It must be between 10 and 127 characters long.
+ Remember this password.</para>
+
+ <para>The
+ <literal>ID</literal> line lists
+ the login name (<literal>unfurl</literal>), default iteration count
+ (<literal>499</literal>), and default seed
+ (<literal>to4268</literal>). When logging in,
the system will remember these parameters and display them,
meaning that they do not have to be memorized. The last line
- gives the particular one-time password which corresponds to
+ lists the generated one-time password which corresponds to
those parameters and the secret password. At the next login,
- this one-time password is the one to use.</para>
+ use this one-time password.</para>
</sect2>
<sect2>
<title>Insecure Connection Initialization</title>
- <para>To initialize or change the secret password over an
- insecure connection, a secure connection is needed to some
- place where &man.opiekey.1; can be run. This might be a shell
+ <para>To initialize or change the secret password on an
+ insecure system, a secure connection is needed to some
+ place where <command>opiekey</command> can be run. This might be a shell
prompt on a trusted machine. An iteration count is needed,
where 100 is probably a good value, and the seed can either be
specified or the randomly-generated one used. On the insecure
More information about the svn-doc-all
mailing list