Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
69
lượt xem
19

Mô tả tài liệu

Tham khảo tài liệu 'tcp/ip network administration- p11', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: TCP/IP Network Administration- P11

2. [Chapter 11] 11.9 Simple Network Management Protocol Previous: 11.8 Protocol TCP/IP Network Next: 11.10 Summary Case Study Administration 11.8 Protocol Case Study Book Index 11.10 Summary [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch11_09.htm (5 of 5) [2001-10-15 09:18:52]
16. [Chapter 12] 12.2 User Authentication used between UNIX hosts on a local area network. One-time passwords are only needed for the occasions when you log in from a remote location or an untrusted host. For this reason, some one-time password systems are designed to allow reusable passwords when they are appropriate. There are several one-time password systems. Some use specialized hardware such as "smart cards." OPIE is a free software system that requires no special hardware. 12.2.4 OPIE One-time Passwords In Everything (OPIE) is free software from the U.S. Naval Research Laboratory (NRL) that modifies a UNIX system to use one-time passwords. OPIE is directly derived from SKey, which is a one-time password system created by Bell Communications Research (Bellcore). Download OPIE from ftp://ftp.nrl.navy.mil/pub/security/opie/opie-2.3.tar.gz. It is a binary file. gunzip the file and extract it using tar. The directory this produces contains the source files, Makefiles, and scripts necessary to compile and install OPIE. OPIE comes with configure, an auto-configuration script that detects your system's configuration and modifies the Makefile accordingly. It does a good job, but you still should manually edit the Makefile to make sure it is correct. For example: my Linux system uses the Washington University FTP daemon wu.ftpd. OPIE replaces login, su, and ftpd with its own version of these programs. On my Linux system, configure did not find ftpd and I did not notice the problem when I checked the Makefile. make ran without errors but make install failed during the install of the OPIE FTP daemon. The Makefile was easily corrected and the rerun of make install was successful. The effects of OPIE are evident as soon as the install completes. Run su and you're prompted with root's response: instead of Password:. login prompts with Response or Password: instead of just Password:. The response requested by these programs is the OPIE equivalent of a password. Programs that prompt with Response or Password accept either the OPIE response or the traditional password from the /etc/passwd file. This feature permits users to migrate gracefully from traditional passwords to OPIE. It also allows local console logins with re-usable passwords while permitting remote logins with one-time passwords. The best of both worlds - convenient local logins without creating separate local and remote login accounts! To use OPIE you must first select a secret password that is used to generate the one-time password list, and then you must run the program that generates the list. To select a secret password, run opiepassword as shown below: $opiepasswd -c Updating kristin: Reminder - Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter old secret pass phrase: 3J5Wd6PaWP Enter new secret pass phrase: 9WA11WSfW95/NT Again new secret pass phrase: 9WA11WSfW95/NT The example above shows the user kristin updating her secret password. She runs opiepasswd from the computer's console, as indicated by the -c command option. Running opiepasswd from the console is the most secure. If it is not run from the console, you must have a copy of the opiekey software with you to generate the correct responses needed to enter your old and new secret passwords because clear-text passwords are only accepted from the console. Kristin is prompted to enter her old password and to select a new one. OPIE passwords must be at least Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch12_02.htm (6 of 13) [2001-10-15 09:18:56] 17. [Chapter 12] 12.2 User Authentication 10 characters long. Since the new password is long enough, opiepasswd accepts it and displays the following two lines: ID kristin OPIE key is 499 be93564 CITE JAN GORY BELA GET ABED These lines tell Kristin the information she needs to generate OPIE login responses and the first response she will need to log in to the system. The one-time password needed for Kristin's next login response is the second line of this display: a group of six short, uppercase character strings. The first line of the display contains the initial sequence number (499) and the seed (be93564) she needs, along with her secret password, to generate OPIE login responses. The software used to generate those responses is opiekey. opiekey takes the login sequence number, the user's seed, and the user's secret password as input and outputs the correct one-time password. If you have opiekey software on the system from which you are initiating the login, you can produce one-time passwords one at a time. If, however, you will not have access to opiekey when you are away from your login host, you can use the -n option to request several passwords. Write the passwords down, put them in your wallet, and you're ready to go! [3] In the following example we request five (-n 5) responses from opiekey: [3] Security experts will cringe when they read this suggestion. Writing down passwords is a "no- no." Frankly, I think the people who steal wallets are more interested in my money and credit cards than in the password to my system. But you should consider this suggestion in light of the level of protection that your system needs.$ opiekey -n 5 495 wi01309 Using MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: UUaX26CPaU 491: HOST VET FOWL SEEK IOWA YAP 492: JOB ARTS WERE FEAT TILE IBIS 493: TRUE BRED JOEL USER HALT EBEN 494: HOOD WED MOLT PAN FED RUBY 495: SUB YAW BILE GLEE OWE NOR First opiekey tells us that it is using the MD5 algorithm to produce the responses, which is the default for OPIE. For compatibility with older Skey or OPIE implementations, force opiekey to use the MD4 algorithm by using the -4 command-line option. opiekey prompts for your secret password. This is the password you defined with the opiepasswd command. It then prints out the number of responses requested and lists them in sequence number order. The login sequence numbers in the example are 495 to 491. When the sequence number gets down to 10, rerun opiepasswd and select a new secret password. Selecting a new secret password resets the sequence number to 499. The OPIE login prompt displays a sequence number and you must provide the response that goes with that sequence number. For example: login: tyler otp-md5 492 wi01309 Response or Password: JOB ARTS WERE FEAT TILE IBIS At the login: prompt Tyler enters her username. The system then displays a single line that tells her that one- time passwords are being generated with the MD5 algorithm (otp-md5), that this is login sequence number 492, and that the seed used for her one-time passwords is wi01309. She looks up the response for login number 492 and enters the six short strings. She then marks that response off her list because it cannot be used again to log into the Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch12_02.htm (7 of 13) [2001-10-15 09:18:56]