1OPIE Software Distribution, Release 2.4 Installation Instructions 2======================================= ========================= 3 4 Did you read the README file? 5 6 If not, please go do so, then come back here. There is information in 7the README file that you will probably need to know in order to build and use 8OPIE, and you are better off doing it before you try to compile and install 9it. 10 11 OPIE uses Autoconf to automagically figure out as much as possible 12about your system. There are four steps to installing OPIE. Please read them 13all first before attempting to do them. 14 151. Run the "configure" script. 16 17 Normally, you will need to type: 18 19 sh configure 20 21 If you would like to use an access file to allow users from some hosts 22to log into your system without using OTPs (thus opening up a big security 23hole, but a necessary evil for some sites), type: 24 25 sh configure --enable-access-file=/etc/opieaccess 26 27 If you'd like the file to go somewhere else, adjust this appropriately. 28 29 There are a number of configure-time options available for OPIE. You 30probably don't want to change the defaults. To get a complete listing of the 31currently available options, type: 32 33 sh configure --help 34 35 Some options that may be of interest are: 36 37 --enable-access-file=FILENAME: Enable the OPIE access file FILENAME 38 The OPIE access file provides a system administrator with the ability 39 to make the use of OTP optional for certain hosts. Note that individual 40 users can create a file named ".opiealways" in their home directory to 41 require that OTP be used to access to their account. Note also that the 42 access file is based on addresses, but many of the clients that use it 43 are only given hostnames. This opens this entire scheme up to DNS 44 spoofing attacks, which is a major security problem. ALWAYS use a 45 package such as tcp_wrappers configured to do paranoid checking on DNS 46 information if you enable this option (it's good practice anyway). 47 48 --enable-server-md4: Use MD4 instead of MD5 for the server 49 The old S/Key package used MD4 instead of MD5. MD4 is believed to be 50 less secure than MD5. Use this option only for compatibility with old 51 key files. 52 53 --disable-user-locking: Disable user locking 54 OPIE only allows one session at a time to attempt to authenticate a 55 principal; this prevents a possible race attack on OTP. This locking 56 mechanism can cause problems in some applications, in which case you 57 might want to disable the locking. This option also provides a work- 58 around if the locking code doesn't work reliably on your system. 59 60 --enable-user-locking[=DIR]: Put user lock files in DIR [/etc/opielocks] 61 The OPIE lock files need to be put in an isolated directory that is 62 only accessable by the super-user and has a parent directory that is 63 only writable by the super-user. If you are trying to use OPIE with 64 the key file shared by NFS, you need to make the lock directory 65 shared too. (But you read the README file, so you knew this) 66 67 --enable-retype: Ask users to re-type their secret pass phrases 68 On the one hand, this helps prevent users from having to go generate 69 an OTP, type it into a remote system, and then found out they 70 mistyped. On the other hand, it's annoying. If this is enabled, users 71 can simply hit return at the second prompt and the generator will skip 72 the retype check, which allows users who don't like the retype check 73 to mostly skip it. 74 75 --enable-su-star-check: Refuse to switch to disabled accounts 76 On many systems, an asterisk means one thing and one thing only: this 77 account is never meant for human users. Therefore, it doesn't make 78 much sense for anyone other than an attacker to try to su to that 79 account. Enabling this check causes su to refuse to switch to 80 accounts with an asterisk in their password field. While probably 81 better for security, this is not compatible with traditional *IX su 82 behavior, so it is disabled by default 83 84 --disable-new-prompts: Use more compatible (but less informative) prompts 85 OPIE uses login prompts that tell you exactly what kind of response 86 (an OTP response and/or a cleartext password) it expects you to give. 87 This can break automatic login scripts that look for 'Password:' as 88 the prompt for the password. If you have users that use such scripts, 89 you might want to disable the more informative responses so as not to 90 break those scripts. 91 92 --enable-insecure-override: Allow users to override insecure checks 93 While OPIE cannot determine whether or not a session is secure, it can 94 check for fairly common signs that it isn't secure. If it believes the 95 session is insecure, some programs like opiekey will refuse to run 96 because they prompt the user to send a secret pass phrase. Sometimes 97 these checks declare a session insecure when it is, and sometimes the 98 user wants to continue anyway even if the session is insecure. If this 99 option is enabled, many commands gain a '-f' option to force them to 100 operate even if OPIE thinks the session is insecure. 101 102 --enable-anonymous-ftp Enable anonymous FTP support 103 By default, the OPIE FTP daemon does not support anonymous FTP 104 service. The FTP daemon contains many security related bug fixes 105 relative to the original source, but bugs probably remain. It was not 106 intended to be used for anonymous FTP, where it is more open to the 107 commands of potentially hostile users. If you enable this option, it 108 will once again support anonymous FTP, but it probably isn't secure 109 when that way. 110 111 --disable-utmp Disable utmp logging 112 --disable-wtmp Disable wtmp logging 113 On some systems, logging to the utmp and/or wtmp files is just a lost 114 cause. If this is the case on your system, you might be better off 115 not having OPIE even try. 116 117 --enable-opieauto Enable support for opieauto 118 opieauto is a facility that caches an intermediate result of the OTP 119 generator so that a user-selected number of OTPs can be generated on 120 demand for each time the user types in the secret pass phrase. This 121 is great for user convenience, as typing a twenty or thirty character 122 secret pass phrase can be annoying. It can also be a minor security 123 hole (see the README for details). 124 1252. Edit the Makefile 126 127 The Makefile contains some options that you may wish to modify. Also 128verify that Autoconf chose the correct options for your system. 129 130 The Makefile created by Autoconf should be correct for most users 131as-is. 132 1333. Build OPIE 134 135 Normally, you will need to type: 136 137 make 138 139 If you only want to build the client programs, type: 140 141 make client 142 143 If you only want to build the server programs, type: 144 145 make server 146 1474. Verify that OPIE works on your system and install 148 149 Normall, you will need to type: 150 151 make install 152 153 If you only want to install the client programs, type: 154 155 make client-install 156 157 If you only want to install the server programs, type: 158 159 make server-install 160 161 If you encounter any problems, you may be able to run "make uninstall" 162to remove the OPIE software from your system and revert back to almost the 163way things were before. 164 165Copyright 166========= 167 168%%% portions-copyright-cmetz-96 169Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights 170Reserved. The Inner Net License Version 2 applies to these portions of 171the software. 172You should have received a copy of the license with this software. If 173you didn't get a copy, you may request one from <license@inner.net>. 174 175Portions of this document are Copyright 1995 by Randall Atkinson and Dan 176McDonald, All Rights Reserved. All Rights under this copyright are assigned 177to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and 178License Agreement applies to this software. 179