1.\" opieaccess.5: Manual page describing the /etc/opieaccess file.
2.\"
3.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
4.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
5.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
6.\" License Agreement applies to this software.
7.\"
8.\" History:
9.\"
10.\" Modified by cmetz for OPIE 2.4. Fixed "0PIE" typo.
11.\" Written at NRL for OPIE 2.0.
12.\"
13.ll 6i
14.pl 10.5i
15.\" @(#)opieaccess.5 2.0 (NRL) 1/10/95
16.\" $FreeBSD: head/contrib/opie/opieaccess.5 92914 2002-03-21 23:42:52Z markm $
17.\"
18.lt 6.0i
19.TH OPIEACCESS 5 "January 10, 1995"
20.AT 3
21.SH NAME
22/etc/opieaccess \- OPIE database of trusted networks
23
24.SH DESCRIPTION
25The
26.I opieaccess
27file contains a list of networks that are considered trusted by the system as
28far as security against passive attacks is concerned. Users from networks so
29trusted will be able to log in using OPIE responses, but not be required to
30do so, while users from networks that are not trusted will always be required
31to use OPIE responses (the default behavior). This trust allows a site to
32have a more gentle migration to OPIE by allowing it to be non-mandatory for
33"inside" networks while allowing users to choose whether they with to use OPIE
34to protect their passwords or not.
35.sp
36The entire notion of trust implemented in the
37.I opieaccess
38file is a major security hole because it opens your system back up to the same
39passive attacks that the OPIE system is designed to protect you against. The
40.I opieaccess
41support in this version of OPIE exists solely because we believe that it is
42better to have it so that users who don't want their accounts broken into can
43use OPIE than to have them prevented from doing so by users who don't want
44to use OPIE. In any environment, it should be considered a transition tool and
45not a permanent fixture. When it is not being used as a transition tool, a
46version of OPIE that has been built without support for the
47.I opieaccess
48file should be built to prevent the possibility of an attacker using this file
49as a means to circumvent the OPIE software.
50.sp
51The
52.I opieaccess
53file consists of lines containing three fields separated by spaces (tabs are
54properly interpreted, but spaces should be used instead) as follows:
55.PP
56.nf
57.ta \w' 'u
58Field Description
59action "permit" or "deny" non-OPIE logins
60address Address of the network to match
61mask Mask of the network to match
62.fi
63
64Subnets can be controlled by using the appropriate address and mask. Individual
65hosts can be controlled by using the appropriate address and a mask of
66255.255.255.255. If no rules are matched, the default is to deny non-OPIE
67logins.
68
69.SH SEE ALSO
70.BR ftpd (8)
71.BR login (1),
72.BR opie (4),
73.BR opiekeys (5),
74.BR opiepasswd (1),
75.BR opieinfo (1),
76.BR su (1),
77
78.SH AUTHOR
79Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
80of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
81Craig Metz.
82
83S/Key is a trademark of Bell Communications Research (Bellcore).
84
85.SH CONTACT
86OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
87send an email request to:
88.sp
89skey-users-request@thumper.bellcore.com
2.\"
3.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
4.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
5.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
6.\" License Agreement applies to this software.
7.\"
8.\" History:
9.\"
10.\" Modified by cmetz for OPIE 2.4. Fixed "0PIE" typo.
11.\" Written at NRL for OPIE 2.0.
12.\"
13.ll 6i
14.pl 10.5i
15.\" @(#)opieaccess.5 2.0 (NRL) 1/10/95
16.\" $FreeBSD: head/contrib/opie/opieaccess.5 92914 2002-03-21 23:42:52Z markm $
17.\"
18.lt 6.0i
19.TH OPIEACCESS 5 "January 10, 1995"
20.AT 3
21.SH NAME
22/etc/opieaccess \- OPIE database of trusted networks
23
24.SH DESCRIPTION
25The
26.I opieaccess
27file contains a list of networks that are considered trusted by the system as
28far as security against passive attacks is concerned. Users from networks so
29trusted will be able to log in using OPIE responses, but not be required to
30do so, while users from networks that are not trusted will always be required
31to use OPIE responses (the default behavior). This trust allows a site to
32have a more gentle migration to OPIE by allowing it to be non-mandatory for
33"inside" networks while allowing users to choose whether they with to use OPIE
34to protect their passwords or not.
35.sp
36The entire notion of trust implemented in the
37.I opieaccess
38file is a major security hole because it opens your system back up to the same
39passive attacks that the OPIE system is designed to protect you against. The
40.I opieaccess
41support in this version of OPIE exists solely because we believe that it is
42better to have it so that users who don't want their accounts broken into can
43use OPIE than to have them prevented from doing so by users who don't want
44to use OPIE. In any environment, it should be considered a transition tool and
45not a permanent fixture. When it is not being used as a transition tool, a
46version of OPIE that has been built without support for the
47.I opieaccess
48file should be built to prevent the possibility of an attacker using this file
49as a means to circumvent the OPIE software.
50.sp
51The
52.I opieaccess
53file consists of lines containing three fields separated by spaces (tabs are
54properly interpreted, but spaces should be used instead) as follows:
55.PP
56.nf
57.ta \w' 'u
58Field Description
59action "permit" or "deny" non-OPIE logins
60address Address of the network to match
61mask Mask of the network to match
62.fi
63
64Subnets can be controlled by using the appropriate address and mask. Individual
65hosts can be controlled by using the appropriate address and a mask of
66255.255.255.255. If no rules are matched, the default is to deny non-OPIE
67logins.
68
69.SH SEE ALSO
70.BR ftpd (8)
71.BR login (1),
72.BR opie (4),
73.BR opiekeys (5),
74.BR opiepasswd (1),
75.BR opieinfo (1),
76.BR su (1),
77
78.SH AUTHOR
79Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
80of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
81Craig Metz.
82
83S/Key is a trademark of Bell Communications Research (Bellcore).
84
85.SH CONTACT
86OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
87send an email request to:
88.sp
89skey-users-request@thumper.bellcore.com