1.\" opieaccess.5: Manual page describing the /etc/opieaccess file.
2.\"
3.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
4.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
5.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
6.\" License Agreement applies to this software.
7.\"
8.\" History:
9.\"
10.\" Written at NRL for OPIE 2.0.
11.\"
12.ll 6i
13.pl 10.5i
14.\" @(#)opieaccess.5 2.0 (NRL) 1/10/95
15.\"
16.lt 6.0i
17.TH OPIEACCESS 5 "January 10, 1995"
18.AT 3
19.SH NAME
20/etc/opieaccess \- OPIE database of trusted networks
21
22.SH DESCRIPTION
23The
24.I opieaccess
25file contains a list of networks that are considered trusted by the system as
26far as security against passive attacks is concerned. Users from networks so
27trusted will be able to log in using OPIE responses, but not be required to
28do so, while users from networks that are not trusted will always be required
29to use OPIE responses (the default behavior). This trust allows a site to
30have a more gentle migration to OPIE by allowing it to be non-mandatory for
31"inside" networks while allowing users to choose whether they with to use OPIE
32to protect their passwords or not.
33.sp
34The entire notion of trust implemented in the
35.I opieaccess
36file is a major security hole because it opens your system back up to the same
37passive attacks that the OPIE system is designed to protect you against. The
38.I opieaccess
39support in this version of OPIE exists solely because we believe that it is
40better to have it so that users who don't want their accounts broken into can
41use OPIE than to have them prevented from doing so by users who don't want
42to use OPIE. In any environment, it should be considered a transition tool and
43not a permanent fixture. When it is not being used as a transition tool, a
44version of OPIE that has been built without support for the
45.I opieaccess
46file should be built to prevent the possibility of an attacker using this file
47as a means to circumvent the OPIE software.
48.sp
49The
50.I opieaccess
51file consists of lines containing three fields separated by spaces (tabs are
52properly interpreted, but spaces should be used instead) as follows:
53.PP
54.nf
55.ta \w' 'u
56Field Description
57action "permit" or "deny" non-OPIE logins
58address Address of the network to match
59mask Mask of the network to match
60.fi
61
62Subnets can be controlled by using the appropriate address and mask. Individual
63hosts can be controlled by using the appropriate address and a mask of
64255.255.255.255. If no rules are matched, the default is to deny non-0PIE
65logins.
66
67.SH SEE ALSO
68.BR ftpd (8)
69.BR login (1),
70.BR opie (4),
71.BR opiekeys (5),
72.BR opiepasswd (1),
73.BR opieinfo (1),
74.BR su (1),
75
76.SH AUTHOR
77Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
78of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
79Craig Metz.
80
81S/Key is a trademark of Bell Communications Research (Bellcore).
82
83.SH CONTACT
84OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
85send an email request to:
86.sp
87skey-users-request@thumper.bellcore.com
2.\"
3.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
4.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
5.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
6.\" License Agreement applies to this software.
7.\"
8.\" History:
9.\"
10.\" Written at NRL for OPIE 2.0.
11.\"
12.ll 6i
13.pl 10.5i
14.\" @(#)opieaccess.5 2.0 (NRL) 1/10/95
15.\"
16.lt 6.0i
17.TH OPIEACCESS 5 "January 10, 1995"
18.AT 3
19.SH NAME
20/etc/opieaccess \- OPIE database of trusted networks
21
22.SH DESCRIPTION
23The
24.I opieaccess
25file contains a list of networks that are considered trusted by the system as
26far as security against passive attacks is concerned. Users from networks so
27trusted will be able to log in using OPIE responses, but not be required to
28do so, while users from networks that are not trusted will always be required
29to use OPIE responses (the default behavior). This trust allows a site to
30have a more gentle migration to OPIE by allowing it to be non-mandatory for
31"inside" networks while allowing users to choose whether they with to use OPIE
32to protect their passwords or not.
33.sp
34The entire notion of trust implemented in the
35.I opieaccess
36file is a major security hole because it opens your system back up to the same
37passive attacks that the OPIE system is designed to protect you against. The
38.I opieaccess
39support in this version of OPIE exists solely because we believe that it is
40better to have it so that users who don't want their accounts broken into can
41use OPIE than to have them prevented from doing so by users who don't want
42to use OPIE. In any environment, it should be considered a transition tool and
43not a permanent fixture. When it is not being used as a transition tool, a
44version of OPIE that has been built without support for the
45.I opieaccess
46file should be built to prevent the possibility of an attacker using this file
47as a means to circumvent the OPIE software.
48.sp
49The
50.I opieaccess
51file consists of lines containing three fields separated by spaces (tabs are
52properly interpreted, but spaces should be used instead) as follows:
53.PP
54.nf
55.ta \w' 'u
56Field Description
57action "permit" or "deny" non-OPIE logins
58address Address of the network to match
59mask Mask of the network to match
60.fi
61
62Subnets can be controlled by using the appropriate address and mask. Individual
63hosts can be controlled by using the appropriate address and a mask of
64255.255.255.255. If no rules are matched, the default is to deny non-0PIE
65logins.
66
67.SH SEE ALSO
68.BR ftpd (8)
69.BR login (1),
70.BR opie (4),
71.BR opiekeys (5),
72.BR opiepasswd (1),
73.BR opieinfo (1),
74.BR su (1),
75
76.SH AUTHOR
77Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
78of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
79Craig Metz.
80
81S/Key is a trademark of Bell Communications Research (Bellcore).
82
83.SH CONTACT
84OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
85send an email request to:
86.sp
87skey-users-request@thumper.bellcore.com