One-time Passwords In Everything (OPIE) provides a more secure login environment without requiring encrypted traffic to be sent between hosts. It is based on the s/key system designed at Bell Labs, and was written at the Naval Research Labs.
Getting and Installing OPIE
OPIE can be had from http://www.inner.net. The most recent version as of this writing was 2.32. After downloading, building OPIE is a three-step process. If I've downloaded OPIE into /usr/local/src, I'd do the following:
# ./configure # make # make install
At this point, the real work begins: You need to get any users who will be using the OPIE server to run opiepassword to generate an initial pass-phrase. It is important that this is only done on a secure terminal.
The server side of OPIE is taken care of when you do the make install step of the installation. Each user must be separately added to the OPIE database. This is done with the opiepasswd command, as shown in Listing 13.
Listing 13 Using opiepasswd
[pate@cherry sgml]$ opiepasswd -n 497 -c Updating pate: Reminder - Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter old secret pass phrase: Enter new secret pass phrase: Again new secret pass phrase: ID pate OPIE key is 497 cr1997 PHI CLAY MOOD VOID ELI BIRD [pate@cherry sgml]$
OPIE at Work
After you've got OPIE installed and configured, the fun begins. When you telnet in to the opiefied box, you'll go through the process shown in Listing 14.
Listing 14 Connecting to a Remote Host with OPIE
[pate@cherry sgml]$ telnet 192.168.1.20 Trying 192.168.1.20... Connected to 192.168.1.20. Escape character is '^]'. Red Hat Linux release 6.2 (Zoot) Kernel 2.2.14-5.0 on an i586 patelogin: login: pate otp-md5 497 cr1997 ext Response: phi clay mood void eli bird Last login: Fri Sep 1 05:27:20 from crashtestdummy [pate@crashtestdummy pate]$
The actual response generated from the otp-md56 program is given in Listing 15.
Listing 15 Using otp5 on Your Local Host
[pate@cherry pate]$ otp5 497 cr1997 Using the MD5 algorithm to compute response. Reminder:Don't use opiekey from telnet or dial-in sessions Enter secret pass phrase: PHI CLAY MOOD VOID ELI BIRD [pate@cherry pate]$
The reminder shown in this output is important. OPIE does not do any encryption of your traffic, so if you were to use opiekey (under any of its names) you would be divulging your pass phrase to anyone capable of seeing the packets you're sending. In fact, if I tried to run this same command from my telnet session into crashtestdummy, it would fail with an error reminding that I was not on a secure terminal.