Tag: openpam

Using OPIE on FreeBSD 6.3

The best documentation out there on OPIE focuses on using OPIE with FreeBSD. FreeBSD comes with OPIE as part of the core, and it works beautifully.

The FreeBSD Handbook contains a section on One-time Passwords (14.5) which discusses using OPIE, and how to use utilities associated with it.

The esteemed Dru Lavigne wrote excellent articles as well (way back in February of 2003!) about making OTP work in FreeBSD. The first was One-Time Passwords, and followed by PAM (which used OPIE access as an example).

There is no installation required, as all the appropriate bits already exist in the base install. To get started, follow this example with your own password:

$ opiepasswd -c
Only use this method from the console: NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:
 
ID dgd OTP key is 499 xf4915
OTTO BRIM CAT PEN FAD PREEN
$

Now everything is set. However, the first password requested will be number 498: so let’s generate the key so we can record it:

$ opiekey 499 xf4915
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
498: SLIP MAX ROT BLIP PIP FLIT
$

Note that this second step does not have to be done on the same machine. You do need to have your count (499 in the example) and the seed (xf4915 in the example). Combined with your secret password, you can generate your next password or passwords using any valid OTP password calculator.

Dru’s article on PAM discusses the conversion from Linux PAM to OpenPAM, and other things relevant to the introduction of FreeBSD 5.0. However, now with FreeBSD 6.3 out and FreeBSD 7 coming, most of what she discussed then is now well-tested and preconfigured. OPIE is built into PAM as she suggests (within the file /etc/pam.d/system file).

Now if you want to be forced to log in with OTP, touch the file .opiealways (note the leading dot) file in your home directory and it will be so.

There was also an interview done in June of 2007 in BSDTalk #117 (audio) which discussed OTP in depth. One interesting thing to note: FreeBSD uses OPIE, whereas NetBSD and OpenBSD both use S/Key for their implementations.