Home > Articles > Operating Systems, Server > Linux/UNIX/Open Source

Security Tools

  • Print
  • + Share This
From the author of


One-time Passwords In Everything (OPIE) provides a more secure login environment without requiring encrypted traffic to be sent between hosts. It is based on the s/key system designed at Bell Labs, and was written at the Naval Research Labs.

Getting and Installing OPIE

OPIE can be had from http://www.inner.net. The most recent version as of this writing was 2.32. After downloading, building OPIE is a three-step process. If I've downloaded OPIE into /usr/local/src, I'd do the following:

# ./configure
# make
# make install

At this point, the real work begins: You need to get any users who will be using the OPIE server to run opiepassword to generate an initial pass-phrase. It is important that this is only done on a secure terminal.

Configuring OPIE

The server side of OPIE is taken care of when you do the make install step of the installation. Each user must be separately added to the OPIE database. This is done with the opiepasswd command, as shown in Listing 13.

Listing 13 Using opiepasswd

[pate@cherry sgml]$ opiepasswd -n 497 -c
Updating pate:
Reminder - Only use this method from the console;
NEVER from remote. If you
are using telnet, xterm, or a dial-in, type ^C now or
exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter old secret pass phrase:
Enter new secret pass phrase:
Again new secret pass phrase:

ID pate OPIE key is 497 cr1997
[pate@cherry sgml]$

OPIE at Work

After you've got OPIE installed and configured, the fun begins. When you telnet in to the opiefied box, you'll go through the process shown in Listing 14.

Listing 14 Connecting to a Remote Host with OPIE

[pate@cherry sgml]$ telnet
Connected to
Escape character is '^]'.
Red Hat Linux release 6.2 (Zoot)
Kernel 2.2.14-5.0 on an i586
login: pate
otp-md5 497 cr1997 ext

Response: phi clay mood void eli bird
Last login: Fri Sep 1 05:27:20 from crashtestdummy
[pate@crashtestdummy pate]$

The actual response generated from the otp-md56 program is given in Listing 15.

Listing 15 Using otp5 on Your Local Host

[pate@cherry pate]$ otp5 497 cr1997
Using the MD5 algorithm to compute response.
Reminder:Don't use opiekey from telnet or dial-in sessions
Enter secret pass phrase:
[pate@cherry pate]$

The reminder shown in this output is important. OPIE does not do any encryption of your traffic, so if you were to use opiekey (under any of its names) you would be divulging your pass phrase to anyone capable of seeing the packets you're sending. In fact, if I tried to run this same command from my telnet session into crashtestdummy, it would fail with an error reminding that I was not on a secure terminal.

  • + Share This
  • 🔖 Save To Your Account