Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 20 Mar 2014 19:05:41 +0000 (UTC)
From:      Dru Lavigne <dru@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r44302 - head/en_US.ISO8859-1/books/handbook/security
Message-ID:  <201403201905.s2KJ5fDk075628@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: dru
Date: Thu Mar 20 19:05:40 2014
New Revision: 44302
URL: http://svnweb.freebsd.org/changeset/doc/44302

Log:
  Editorial review of first 1/2 of OPIE chapter.
  
  Sponsored by: iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Thu Mar 20 17:14:40 2014	(r44301)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Thu Mar 20 19:05:40 2014	(r44302)
@@ -620,75 +620,72 @@ Enter new password:</programlisting>
     </indexterm>
 
     <para>By default, &os; includes support for One-time Passwords In
-      Everything (<acronym>OPIE</acronym>), which uses the MD5 hash by
+      Everything (<acronym>OPIE</acronym>).  <acronym>OPIE</acronym>
+      is designed to prevent replay attacks, in which an attacker
+      discovers a user's password and uses it to access a system.
+      Since a password is only used once in <acronym>OPIE</acronym>, a
+      discovered password is of little use to an attacker.
+      <acronym>OPIE</acronym> uses a secure hash and a
+      challenge/response system to manage passwords.  The &os;
+      implementation uses the <acronym>MD5</acronym> hash by
       default.</para>
 
-    <para>There are three different types of passwords.  The first is
-      the usual &unix; style or Kerberos password.  The second is the
-      one-time password which is generated by &man.opiekey.1; and
-      accepted by &man.opiepasswd.1; and the login prompt.  The final
-      type of password is the <quote>secret password</quote> used by
-      &man.opiekey.1;, and sometimes &man.opiepasswd.1;, to generate
-      one-time passwords.</para>
-
-    <para>The secret password has nothing to do with the &unix;
-      password.  They can be the same, but this is not recommended.
-      <acronym>OPIE</acronym> secret passwords are not limited to 8
-      characters like old &unix; passwords<footnote><para>Under &os;
-	  the standard login password may be up to 128 characters in
-	  length.</para></footnote>.  Passwords of six or seven word
-      long phrases are fairly common.  For the most part, the
-      <acronym>OPIE</acronym> system operates completely independently
-      of the &unix; password system.</para>
+    <para><acronym>OPIE</acronym> uses three different types of passwords.  The first is
+      the usual &unix; or Kerberos password.  The second is the
+      one-time password which is generated by <command>opiekey</command>.
+      The third
+      type of password is the <quote>secret password</quote> which is used
+      to generate
+      one-time passwords.  The secret password has nothing to do with,
+      and should be different from, the &unix;
+      password.</para>
 
-    <para>Besides the password, there are two other pieces of data
+    <para>There are two other pieces of data
       that are important to <acronym>OPIE</acronym>.  One is the
       <quote>seed</quote> or <quote>key</quote>, consisting of two
       letters and five digits.  The other is the <quote>iteration
 	count</quote>, a number between 1 and 100.
       <acronym>OPIE</acronym> creates the one-time password by
-      concatenating the seed and the secret password, applying the MD5
+      concatenating the seed and the secret password, applying the <acronym>MD5</acronym>
       hash as many times as specified by the iteration count, and
-      turning the result into six short English words.  These six
-      English words are the one-time password.  The authentication
-      system (primarily PAM) keeps track of the last one-time password
+      turning the result into six short English words which represent
+      the one-time password.  The authentication
+      system keeps track of the last one-time password
       used, and the user is authenticated if the hash of the
       user-provided password is equal to the previous password.
       Because a one-way hash is used, it is impossible to generate
       future one-time passwords if a successfully used password is
       captured.  The iteration count is decremented after each
       successful login to keep the user and the login program in sync.
-      When the iteration count gets down to 1,
+      When the iteration count gets down to <literal>1</literal>,
       <acronym>OPIE</acronym> must be reinitialized.</para>
 
     <para>There are a few programs involved in this process.
-      &man.opiekey.1; accepts an iteration count, a seed, and a secret
-      password, and generates a one-time password or a consecutive
-      list of one-time passwords.  In addition to initializing
+      A one-time password, or a consecutive
+      list of one-time passwords, is generated by passing an iteration
+      count, a seed, and a secret
+      password to &man.opiekey.1;.  In addition to initializing
       <acronym>OPIE</acronym>, &man.opiepasswd.1; is used to change
-      passwords, iteration counts, or seeds.  It takes either a secret
-      passphrase, or an iteration count, seed, and a one-time
-      password.  The relevant credential files in
+      passwords, iteration counts, or seeds.  The relevant credential files in
       <filename>/etc/opiekeys</filename> are examined by
       &man.opieinfo.1; which prints out the invoking user's current
       iteration count and seed.</para>
 
-    <para>There are four different sorts of operations.  The first is
-      to use &man.opiepasswd.1; over a secure connection to set up
-      one-time-passwords for the first time, or to change the password
-      or seed.  The second operation is to use &man.opiepasswd.1; over
-      an insecure connection, in conjunction with &man.opiekey.1; over
-      a secure connection, to do the same.  The third is to use
-      &man.opiekey.1; to log in over an insecure connection.  The
-      fourth is to use &man.opiekey.1; to generate a number of keys
-      which can be written down or printed out to carry to insecure
-      locations in order to make a connection to anywhere.</para>
+    <para>This section describes four different sorts of operations.  The first is
+      how to set up
+      one-time-passwords for the first time
+      over a secure connection.  The second is how to use <command>opiepasswd</command> over
+      an insecure connection.  The third is how to
+      log in over an insecure connection.  The
+      fourth is how to generate a number of keys
+      which can be written down or printed out to use at insecure
+      locations.</para>
 
     <sect2>
-      <title>Secure Connection Initialization</title>
+      <title>Initializing <acronym>OPIE</acronym></title>
 
       <para>To initialize <acronym>OPIE</acronym> for the first time,
-	execute &man.opiepasswd.1;:</para>
+	run this command from a secure location:</para>
 
       <screen>&prompt.user; <userinput>opiepasswd -c</userinput>
 [grimreaper] ~ $ opiepasswd -f -c
@@ -703,25 +700,38 @@ Again new secret pass phrase:
 ID unfurl OTP key is 499 to4268
 MOS MALL GOAT ARM AVID COED</screen>
 
-      <para>At the <prompt>Enter new secret pass phrase:</prompt> or
-	<prompt>Enter secret password:</prompt> prompt, enter a
-	password or phrase.  This is not the login password as this
-	password is used to generate the one-time login keys.  The
-	<quote>ID</quote> line gives the parameters of the instance:
-	the login name, iteration count, and seed.  When logging in,
+      <para>The <option>-c</option> sets console mode which assumes
+	that the command is being run from a secure location, such as
+	a computer under the user's control or a
+	<acronym>SSH</acronym> session to a computer under the user's
+	control.</para>
+
+      <para>When prompted, enter the secret
+	password which will be
+	used to generate the one-time login keys.  This password
+	should be difficult to guess and should be different than the
+	password which is associated with the user's login
+	account.  It must be between 10 and 127 characters long.
+	Remember this password.</para>
+
+      <para>The
+	<literal>ID</literal> line lists
+	the login name (<literal>unfurl</literal>), default iteration count
+	(<literal>499</literal>), and default seed
+	(<literal>to4268</literal>).  When logging in,
 	the system will remember these parameters and display them,
 	meaning that they do not have to be memorized.  The last line
-	gives the particular one-time password which corresponds to
+	lists the generated one-time password which corresponds to
 	those parameters and the secret password.  At the next login,
-	this one-time password is the one to use.</para>
+	use this one-time password.</para>
     </sect2>
 
     <sect2>
       <title>Insecure Connection Initialization</title>
 
-      <para>To initialize or change the secret password over an
-	insecure connection, a secure connection is needed to some
-	place where &man.opiekey.1; can be run.  This might be a shell
+      <para>To initialize or change the secret password on an
+	insecure system, a secure connection is needed to some
+	place where <command>opiekey</command> can be run.  This might be a shell
 	prompt on a trusted machine.  An iteration count is needed,
 	where 100 is probably a good value, and the seed can either be
 	specified or the randomly-generated one used.  On the insecure



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403201905.s2KJ5fDk075628>