one-time-passwords.html

FreeBSD操作系统的详细使用手册

prompt like this:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">telnet example.com</kbd>
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.

FreeBSD/i386 (example.com) (ttypa)

login: <kbd class="USERINPUT">&lt;username&gt;</kbd>
s/key 97 fw13894
Password:
</pre>

<p>Or for OPIE:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">telnet example.com</kbd>
Trying 10.0.0.1...
Connected to example.com
Escape character is '^]'.

FreeBSD/i386 (example.com) (ttypa)

login: <kbd class="USERINPUT">&lt;username&gt;</kbd>
otp-md5 498 gr4269 ext
Password:
</pre>

<p>As a side note, the S/Key and OPIE prompts have a useful feature (not shown here): if
you press <b class="KEYCAP">Return</b> at the password prompt, the prompter will turn
echo on, so you can see what you are typing. This can be extremely useful if you are
attempting to type in a password by hand, such as from a printout.</p>

<p>At this point you need to generate your one-time password to answer this login prompt.
This must be done on a trusted system that you can run <tt class="COMMAND">key</tt> or
<tt class="COMMAND">opiekey</tt> on. (There are versions of these for DOS, <span
class="TRADEMARK">Windows</span>&reg; and <span class="TRADEMARK">Mac&nbsp;OS</span>&reg;
as well.) They need both the iteration count and the seed as command line options. You
can cut-and-paste these right from the login prompt on the machine that you are logging
in to.</p>

<p>On the trusted system:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">key 97 fw13894</kbd>
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: 
WELD LIP ACTS ENDS ME HAAG
</pre>

<p>For OPIE:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">opiekey 498 to4268</kbd>
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
GAME GAG WELT OUT DOWN CHAT
</pre>

<p>Now that you have your one-time password you can continue logging in:</p>

<pre class="SCREEN">
login: <kbd class="USERINPUT">&lt;username&gt;</kbd>
s/key 97 fw13894
Password: <kbd class="USERINPUT">&lt;return to enable echo&gt;</kbd>
s/key 97 fw13894
Password [echo on]: WELD LIP ACTS ENDS ME HAAG
Last login: Tue Mar 21 11:56:41 from 10.0.0.2 ...
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN19310" name="AEN19310">14.5.4 Generating Multiple One-time
Passwords</a></h2>

<p>Sometimes you have to go places where you do not have access to a trusted machine or
secure connection. In this case, it is possible to use the <tt class="COMMAND">key</tt>
and <tt class="COMMAND">opiekey</tt> commands to generate a number of one-time passwords
beforehand to be printed out and taken with you. For example:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">key -n 5 30 zz99999</kbd>
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: <kbd class="USERINPUT">&lt;secret password&gt;</kbd>
26: SODA RUDE LEA LIND BUDD SILT 
27: JILT SPY DUTY GLOW COWL ROT  
28: THEM OW COLA RUNT BONG SCOT  
29: COT MASH BARR BRIM NAN FLAG  
30: CAN KNEE CAST NAME FOLK BILK
</pre>

<p>Or for OPIE:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">opiekey -n 5 30 zz99999</kbd>
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase: <kbd class="USERINPUT">&lt;secret password&gt;</kbd>
26: JOAN BORE FOSS DES NAY QUIT
27: LATE BIAS SLAY FOLK MUCH TRIG
28: SALT TIN ANTI LOON NEAL USE
29: RIO ODIN GO BYE FURY TIC
30: GREW JIVE SAN GIRD BOIL PHI
</pre>

<p>The <var class="OPTION">-n 5</var> requests five keys in sequence, the <var
class="OPTION">30</var> specifies what the last iteration number should be. Note that
these are printed out in <span class="emphasis"><i class="EMPHASIS">reverse</i></span>
order of eventual use. If you are really paranoid, you might want to write the results
down by hand; otherwise you can cut-and-paste into <tt class="COMMAND">lpr</tt>. Note
that each line shows both the iteration count and the one-time password; you may still
find it handy to scratch off passwords as you use them.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN19329" name="AEN19329">14.5.5 Restricting Use of <span
class="TRADEMARK">UNIX</span>&reg; Passwords</a></h2>

<p>S/Key can place restrictions on the use of <span class="TRADEMARK">UNIX</span>
passwords based on the host name, user name, terminal port, or IP address of a login
session. These restrictions can be found in the configuration file <tt
class="FILENAME">/etc/skey.access</tt>. The <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=skey.access&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">skey.access</span>(5)</span></a> manual
page has more information on the complete format of the file and also details some
security cautions to be aware of before depending on this file for security.</p>

<p>If there is no <tt class="FILENAME">/etc/skey.access</tt> file (this is the default on
FreeBSD 4.X systems), then all users will be allowed to use <span
class="TRADEMARK">UNIX</span> passwords. If the file exists, however, then all users will
be required to use S/Key unless explicitly permitted to do otherwise by configuration
statements in the <tt class="FILENAME">skey.access</tt> file. In all cases, <span
class="TRADEMARK">UNIX</span> passwords are permitted on the console.</p>

<p>Here is a sample <tt class="FILENAME">skey.access</tt> configuration file which
illustrates the three most common sorts of configuration statements:</p>

<pre class="PROGRAMLISTING">
permit internet 192.168.0.0 255.255.0.0
permit user fnord
permit port ttyd0
</pre>

<p>The first line (<var class="LITERAL">permit internet</var>) allows users whose IP
source address (which is vulnerable to spoofing) matches the specified value and mask, to
use <span class="TRADEMARK">UNIX</span> passwords. This should not be considered a
security mechanism, but rather, a means to remind authorized users that they are using an
insecure network and need to use S/Key for authentication.</p>

<p>The second line (<var class="LITERAL">permit user</var>) allows the specified
username, in this case <tt class="USERNAME">fnord</tt>, to use <span
class="TRADEMARK">UNIX</span> passwords at any time. Generally speaking, this should only
be used for people who are either unable to use the <tt class="COMMAND">key</tt> program,
like those with dumb terminals, or those who are ineducable.</p>

<p>The third line (<var class="LITERAL">permit port</var>) allows all users logging in on
the specified terminal line to use <span class="TRADEMARK">UNIX</span> passwords; this
would be used for dial-ups.</p>

<p>OPIE can restrict the use of <span class="TRADEMARK">UNIX</span> passwords based on
the IP address of a login session just like S/Key does. The relevant file is <tt
class="FILENAME">/etc/opieaccess</tt>, which is present by default on FreeBSD 5.0 and
newer systems. Please check <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=opieaccess&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">opieaccess</span>(5)</span></a> for more
information on this file and which security considerations you should be aware of when
using it.</p>

<p>Here is a sample <tt class="FILENAME">opieaccess</tt> file:</p>

<pre class="PROGRAMLISTING">
permit 192.168.0.0 255.255.0.0
</pre>

<p>This line allows users whose IP source address (which is vulnerable to spoofing)
matches the specified value and mask, to use <span class="TRADEMARK">UNIX</span>
passwords at any time.</p>

<p>If no rules in <tt class="FILENAME">opieaccess</tt> are matched, the default is to
deny non-OPIE logins.</p>
</div>
</div>

<h3 class="FOOTNOTES">Notes</h3>

<table border="0" class="FOOTNOTES" width="100%">
<tr>
<td align="LEFT" valign="TOP" width="5%"><a id="FTN.AEN19199" name="FTN.AEN19199"
href="one-time-passwords.html#AEN19199"><span class="footnote">[1]</span></a></td>
<td align="LEFT" valign="TOP" width="95%">
<p>Under FreeBSD the standard login password may be up to 128 characters in length.</p>
</td>
</tr>
</table>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="crypt.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="tcpwrappers.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">DES, MD5, and Crypt</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">TCP Wrappers</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>