192906SmarkmOPIE Software Distribution, Release 2.4 Installation Instructions 292906Smarkm======================================= ========================= 322347Spst 422347Spst Did you read the README file? 522347Spst 622347Spst If not, please go do so, then come back here. There is information in 722347Spstthe README file that you will probably need to know in order to build and use 822347SpstOPIE, and you are better off doing it before you try to compile and install 922347Spstit. 1022347Spst 1122347Spst OPIE uses Autoconf to automagically figure out as much as possible 1222347Spstabout your system. There are four steps to installing OPIE. Please read them 1322347Spstall first before attempting to do them. 1422347Spst 1522347Spst1. Run the "configure" script. 1622347Spst 1722347Spst Normally, you will need to type: 1822347Spst 1922347Spst sh configure 2022347Spst 2122347Spst If you would like to use an access file to allow users from some hosts 2222347Spstto log into your system without using OTPs (thus opening up a big security 2322347Spsthole, but a necessary evil for some sites), type: 2422347Spst 2522347Spst sh configure --enable-access-file=/etc/opieaccess 2622347Spst 2722347Spst If you'd like the file to go somewhere else, adjust this appropriately. 2822347Spst 2992906Smarkm There are a number of configure-time options available for OPIE. You 3092906Smarkmprobably don't want to change the defaults. To get a complete listing of the 3192906Smarkmcurrently available options, type: 3229964Sache 3329964Sache sh configure --help 3429964Sache 3592906Smarkm Some options that may be of interest are: 3692906Smarkm 3792906Smarkm --enable-access-file=FILENAME: Enable the OPIE access file FILENAME 3892906Smarkm The OPIE access file provides a system administrator with the ability 3992906Smarkm to make the use of OTP optional for certain hosts. Note that individual 4092906Smarkm users can create a file named ".opiealways" in their home directory to 4192906Smarkm require that OTP be used to access to their account. Note also that the 4292906Smarkm access file is based on addresses, but many of the clients that use it 4392906Smarkm are only given hostnames. This opens this entire scheme up to DNS 4492906Smarkm spoofing attacks, which is a major security problem. ALWAYS use a 4592906Smarkm package such as tcp_wrappers configured to do paranoid checking on DNS 4692906Smarkm information if you enable this option (it's good practice anyway). 4792906Smarkm 4892906Smarkm --enable-server-md4: Use MD4 instead of MD5 for the server 4992906Smarkm The old S/Key package used MD4 instead of MD5. MD4 is believed to be 5092906Smarkm less secure than MD5. Use this option only for compatibility with old 5192906Smarkm key files. 5292906Smarkm 5392906Smarkm --disable-user-locking: Disable user locking 5492906Smarkm OPIE only allows one session at a time to attempt to authenticate a 5592906Smarkm principal; this prevents a possible race attack on OTP. This locking 5692906Smarkm mechanism can cause problems in some applications, in which case you 5792906Smarkm might want to disable the locking. This option also provides a work- 5892906Smarkm around if the locking code doesn't work reliably on your system. 5992906Smarkm 6092906Smarkm --enable-user-locking[=DIR]: Put user lock files in DIR [/etc/opielocks] 6192906Smarkm The OPIE lock files need to be put in an isolated directory that is 6292906Smarkm only accessable by the super-user and has a parent directory that is 6392906Smarkm only writable by the super-user. If you are trying to use OPIE with 6492906Smarkm the key file shared by NFS, you need to make the lock directory 6592906Smarkm shared too. (But you read the README file, so you knew this) 6692906Smarkm 6792906Smarkm --enable-retype: Ask users to re-type their secret pass phrases 6892906Smarkm On the one hand, this helps prevent users from having to go generate 6992906Smarkm an OTP, type it into a remote system, and then found out they 7092906Smarkm mistyped. On the other hand, it's annoying. If this is enabled, users 7192906Smarkm can simply hit return at the second prompt and the generator will skip 7292906Smarkm the retype check, which allows users who don't like the retype check 7392906Smarkm to mostly skip it. 7492906Smarkm 7592906Smarkm --enable-su-star-check: Refuse to switch to disabled accounts 7692906Smarkm On many systems, an asterisk means one thing and one thing only: this 7792906Smarkm account is never meant for human users. Therefore, it doesn't make 7892906Smarkm much sense for anyone other than an attacker to try to su to that 7992906Smarkm account. Enabling this check causes su to refuse to switch to 8092906Smarkm accounts with an asterisk in their password field. While probably 8192906Smarkm better for security, this is not compatible with traditional *IX su 8292906Smarkm behavior, so it is disabled by default 8392906Smarkm 8492906Smarkm --disable-new-prompts: Use more compatible (but less informative) prompts 8592906Smarkm OPIE uses login prompts that tell you exactly what kind of response 8692906Smarkm (an OTP response and/or a cleartext password) it expects you to give. 8792906Smarkm This can break automatic login scripts that look for 'Password:' as 8892906Smarkm the prompt for the password. If you have users that use such scripts, 8992906Smarkm you might want to disable the more informative responses so as not to 9092906Smarkm break those scripts. 9192906Smarkm 9292906Smarkm --enable-insecure-override: Allow users to override insecure checks 9392906Smarkm While OPIE cannot determine whether or not a session is secure, it can 9492906Smarkm check for fairly common signs that it isn't secure. If it believes the 9592906Smarkm session is insecure, some programs like opiekey will refuse to run 9692906Smarkm because they prompt the user to send a secret pass phrase. Sometimes 9792906Smarkm these checks declare a session insecure when it is, and sometimes the 9892906Smarkm user wants to continue anyway even if the session is insecure. If this 9992906Smarkm option is enabled, many commands gain a '-f' option to force them to 10092906Smarkm operate even if OPIE thinks the session is insecure. 10192906Smarkm 10292906Smarkm --enable-anonymous-ftp Enable anonymous FTP support 10392906Smarkm By default, the OPIE FTP daemon does not support anonymous FTP 10492906Smarkm service. The FTP daemon contains many security related bug fixes 10592906Smarkm relative to the original source, but bugs probably remain. It was not 10692906Smarkm intended to be used for anonymous FTP, where it is more open to the 10792906Smarkm commands of potentially hostile users. If you enable this option, it 10892906Smarkm will once again support anonymous FTP, but it probably isn't secure 10992906Smarkm when that way. 11092906Smarkm 11192906Smarkm --disable-utmp Disable utmp logging 11292906Smarkm --disable-wtmp Disable wtmp logging 11392906Smarkm On some systems, logging to the utmp and/or wtmp files is just a lost 11492906Smarkm cause. If this is the case on your system, you might be better off 11592906Smarkm not having OPIE even try. 11692906Smarkm 11792906Smarkm --enable-opieauto Enable support for opieauto 11892906Smarkm opieauto is a facility that caches an intermediate result of the OTP 11992906Smarkm generator so that a user-selected number of OTPs can be generated on 12092906Smarkm demand for each time the user types in the secret pass phrase. This 12192906Smarkm is great for user convenience, as typing a twenty or thirty character 12292906Smarkm secret pass phrase can be annoying. It can also be a minor security 12392906Smarkm hole (see the README for details). 12492906Smarkm 12522347Spst2. Edit the Makefile 12622347Spst 12722347Spst The Makefile contains some options that you may wish to modify. Also 12822347Spstverify that Autoconf chose the correct options for your system. 12922347Spst 13022347Spst The Makefile created by Autoconf should be correct for most users 13122347Spstas-is. 13222347Spst 13329964Sache3. Build OPIE 13422347Spst 13522347Spst Normally, you will need to type: 13622347Spst 13722347Spst make 13822347Spst 13922347Spst If you only want to build the client programs, type: 14022347Spst 14122347Spst make client 14222347Spst 14322347Spst If you only want to build the server programs, type: 14422347Spst 14522347Spst make server 14622347Spst 14729964Sache4. Verify that OPIE works on your system and install 14822347Spst 14922347Spst Normall, you will need to type: 15022347Spst 15122347Spst make install 15222347Spst 15322347Spst If you only want to install the client programs, type: 15422347Spst 15522347Spst make client-install 15622347Spst 15722347Spst If you only want to install the server programs, type: 15822347Spst 15922347Spst make server-install 16022347Spst 16122347Spst If you encounter any problems, you may be able to run "make uninstall" 16222347Spstto remove the OPIE software from your system and revert back to almost the 16322347Spstway things were before. 16422347Spst 16522347SpstCopyright 16622347Spst========= 16722347Spst 16829964Sache%%% portions-copyright-cmetz-96 16992906SmarkmPortions of this software are Copyright 1996-1999 by Craig Metz, All Rights 17022347SpstReserved. The Inner Net License Version 2 applies to these portions of 17122347Spstthe software. 17222347SpstYou should have received a copy of the license with this software. If 17322347Spstyou didn't get a copy, you may request one from <license@inner.net>. 17422347Spst 17522347SpstPortions of this document are Copyright 1995 by Randall Atkinson and Dan 17622347SpstMcDonald, All Rights Reserved. All Rights under this copyright are assigned 17722347Spstto the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and 17822347SpstLicense Agreement applies to this software. 179