NetBSD/crypto/dist/krb4/doc/otp.texi
2000-06-16 18:45:32 +00:00

128 lines
4.6 KiB
Plaintext

@node One-Time Passwords, Resolving frequent problems, How to set up a realm, Top
@chapter One-Time Passwords
@cindex OTP
@cindex One time passwords
There is also support for using @dfn{one time passwords} (OTP) in this
package. Specifically @code{login}, @code{ftpd}, and @code{popper} have
support for using them.
@menu
* What are one time passwords?::
* When to use one time passwords?::
* Configuring OTPs::
@end menu
@node What are one time passwords?, When to use one time passwords?, One-Time Passwords, One-Time Passwords
@comment node-name, next, previous, up
@section What are one time passwords?
One time passwords are, as the name implies, passwords that can only
be used once. This means that even if someone is eavesdropping on the
network, they will not be able to make use of the passwords they steal.
The OTPs used in this package support @cite{RFC 1938}. This standard is
also backwards compatible with the well-known S/Key. There are lots of
programs for generating these on everything from HP 48's to Crays.
@cindex S/Key
@node When to use one time passwords?, Configuring OTPs, What are one time passwords?, One-Time Passwords
@comment node-name, next, previous, up
@section When to use one time passwords?
Why would you want to use OTPs instead of Kerberos? The advantage of
OTPs is that they don't require a computer to operate. You can print
out a list of passwords and take with you, or you could use your
calculator or hand-held computer to generate them.
The downside is that they only protect you against passive attacks.
Only the initial connection is authenticated. After that, anyone can
eavesdrop on your session, so you should not send or view any sensitive
data (e.g. passwords) over a OTP-initiated link. You are also
vulnerable to active attacks where intruders try to take over your
TCP-session and/or introduce data in the middle of it. In other words,
they provide initial authentication, but neither integrity nor
confidentiality.
The OTPs are generated from the tuple (@var{seed}, @var{sequence
number}, @var{pass-phrase}). The seed and the sequence number will be
printed as part of the @dfn{challenge} and you will have to generate the
corresponding password or pick it from a list.
In conclusion, they are simple and can be used everywhere but don't
protect against all threats that Kerberos does. Use them when you can't
use Kerberos.
@node Configuring OTPs, , When to use one time passwords?, One-Time Passwords
@comment node-name, next, previous, up
@section Configuring OTPs
@heading Initializing
To initialize your OTPs use the @code{otp} program. This program will
write an entry in a local file on this host with your current password
(in this case the 100th) and the corresponding seed (@samp{foobar}).
@pindex otp
@example
@cartouche
datan:>otp 100 foobar
Pass-phrase: <pass-phrase>
Verifying password Pass-phrase: <pass-phrase>
@end cartouche
@end example
@heading Generating
To print out a list of them there is a program called
@code{otpprint}.
@pindex otpprint
@example
@cartouche
datan:>otpprint 100 foobar
Pass-phrase: <pass-phrase>
91: SLAM BUY SUP DUSK SKY BEST
92: DEEM SIGH ROB RASH JUG MAT
93: DUET FISK HERS AREA TOLL SUP
94: WOW RAIN LEAK SARA MARK WING
95: COG YELL MILK CART ABE BAWL
96: GROW SILK GIST OMEN CAM ANNE
97: JAG QUAD NUT BEAT BHOY MAGI
98: ADAM USED GENE NIP EYE SIS
99: MY SUNG HERO AT DASH RAKE
100: CORN KNIT BOTH TOGO SOUL BOG
@end cartouche
@end example
@heading Using the OTPs
When you try to use one and have initialized a series of
one-time passwords for yourself you will get a challenge with the
algorithm being used, the sequence number, and the seed. Enter those in
your generator or find the corresponding password in your list.
@example
@cartouche
login: assar
assar's [ otp-md5 99 foobar ] Password: <MY SUNG HERO AT DASH RAKE>
@end cartouche
@end example
The sequence number of the password will start at one less that the
number you gave to @code{otp} and decrease by one every time you use it.
You should try to keep track of which should be the current one so that
you can be assured that nobody has stolen some of your passwords and
used them. When the number has reached zero you need to acquire a new
series of passwords.
Once you have initialized your series of passwords, you can always use
them at any password prompt where you get the challenge as shown above.
@heading Configuring servers
@code{ftpd}, @code{telnetd}, and @code{popper} can be configured to
require one-time passwords when the connection has not been kerberos
authenticated. Check the man pages for these programs for the correct
options.