One-time Passwords

By default, FreeBSD includes support for OPIE (One-time Passwords In Everything),
which uses the MD5 hash by default.
There are three different sorts of passwords which we will discuss below. The first is
your usual UNIX® style or Kerberos password; we will
call this a “UNIX password”. The second sort
is the one-time password which is generated by the OPIE
opiekey(1)
program and
accepted by the
opiepasswd(1)
program
and the login prompt; we will call this a “one-time password”. The final sort
of password is the secret password which you give to the opiekey
program (and sometimes the opiepasswd programs) which it uses to
generate one-time passwords; we will call it a “secret password” or just
unqualified “password”.
The secret password does not have anything to do with your UNIX password; they can be the same but this is not recommended.
OPIE secret passwords are not limited to 8 characters like old UNIX passwords
[1]
, they can be as long as you
like. Passwords of six or seven word long phrases are fairly common. For the most part,
the OPIE system operates completely independently of the UNIX password system.
Besides the password, there are two other pieces of data that are important to OPIE.
One is what is known as the “seed” or “key”, consisting of two
letters and five digits. The other is what is called the “iteration count”, a
number between 1 and 100. OPIE creates the one-time password by concatenating the seed
and the secret password, then applying the MD5 hash as many times as specified by the
iteration count and turning the result into six short English words. These six English
words are your one-time password. The authentication system (primarily PAM) keeps track
of the last one-time password used, and the user is authenticated if the hash of the
user-provided password is equal to the previous password. Because a one-way hash is used
it is impossible to generate future one-time passwords if a successfully used password is
captured; the iteration count is decremented after each successful login to keep the user
and the login program in sync. When the iteration count gets down to 1, OPIE must be
reinitialized.
There are a few programs involved in each system which we will discuss below. The opiekey program accepts an iteration count, a seed, and a secret
password, and generates a one-time password or a consecutive list of one-time passwords.
The opiepasswd program is used to initialize OPIE, and to change
passwords, iteration counts, or seeds; it takes either a secret passphrase, or an
iteration count, seed, and a one-time password. The opieinfo
program will examine the relevant credentials files (/etc/opiekeys) and print out the invoking user's current iteration
count and seed.
There are four different sorts of operations we will cover. The first is using opiepasswd over a secure connection to set up one-time-passwords for

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有