1 OPIE Software Distribution, Release 2.4 Installation Instructions
2 ======================================= =========================
4 Did you read the README file?
6 If not, please go do so, then come back here. There is information in
7 the README file that you will probably need to know in order to build and use
8 OPIE, and you are better off doing it before you try to compile and install
11 OPIE uses Autoconf to automagically figure out as much as possible
12 about your system. There are four steps to installing OPIE. Please read them
13 all first before attempting to do them.
15 1. Run the "configure" script.
17 Normally, you will need to type:
21 If you would like to use an access file to allow users from some hosts
22 to log into your system without using OTPs (thus opening up a big security
23 hole, but a necessary evil for some sites), type:
25 sh configure --enable-access-file=/etc/opieaccess
27 If you'd like the file to go somewhere else, adjust this appropriately.
29 There are a number of configure-time options available for OPIE. You
30 probably don't want to change the defaults. To get a complete listing of the
31 currently available options, type:
35 Some options that may be of interest are:
37 --enable-access-file=FILENAME: Enable the OPIE access file FILENAME
38 The OPIE access file provides a system administrator with the ability
39 to make the use of OTP optional for certain hosts. Note that individual
40 users can create a file named ".opiealways" in their home directory to
41 require that OTP be used to access to their account. Note also that the
42 access file is based on addresses, but many of the clients that use it
43 are only given hostnames. This opens this entire scheme up to DNS
44 spoofing attacks, which is a major security problem. ALWAYS use a
45 package such as tcp_wrappers configured to do paranoid checking on DNS
46 information if you enable this option (it's good practice anyway).
48 --enable-server-md4: Use MD4 instead of MD5 for the server
49 The old S/Key package used MD4 instead of MD5. MD4 is believed to be
50 less secure than MD5. Use this option only for compatibility with old
53 --disable-user-locking: Disable user locking
54 OPIE only allows one session at a time to attempt to authenticate a
55 principal; this prevents a possible race attack on OTP. This locking
56 mechanism can cause problems in some applications, in which case you
57 might want to disable the locking. This option also provides a work-
58 around if the locking code doesn't work reliably on your system.
60 --enable-user-locking[=DIR]: Put user lock files in DIR [/etc/opielocks]
61 The OPIE lock files need to be put in an isolated directory that is
62 only accessable by the super-user and has a parent directory that is
63 only writable by the super-user. If you are trying to use OPIE with
64 the key file shared by NFS, you need to make the lock directory
65 shared too. (But you read the README file, so you knew this)
67 --enable-retype: Ask users to re-type their secret pass phrases
68 On the one hand, this helps prevent users from having to go generate
69 an OTP, type it into a remote system, and then found out they
70 mistyped. On the other hand, it's annoying. If this is enabled, users
71 can simply hit return at the second prompt and the generator will skip
72 the retype check, which allows users who don't like the retype check
75 --enable-su-star-check: Refuse to switch to disabled accounts
76 On many systems, an asterisk means one thing and one thing only: this
77 account is never meant for human users. Therefore, it doesn't make
78 much sense for anyone other than an attacker to try to su to that
79 account. Enabling this check causes su to refuse to switch to
80 accounts with an asterisk in their password field. While probably
81 better for security, this is not compatible with traditional *IX su
82 behavior, so it is disabled by default
84 --disable-new-prompts: Use more compatible (but less informative) prompts
85 OPIE uses login prompts that tell you exactly what kind of response
86 (an OTP response and/or a cleartext password) it expects you to give.
87 This can break automatic login scripts that look for 'Password:' as
88 the prompt for the password. If you have users that use such scripts,
89 you might want to disable the more informative responses so as not to
92 --enable-insecure-override: Allow users to override insecure checks
93 While OPIE cannot determine whether or not a session is secure, it can
94 check for fairly common signs that it isn't secure. If it believes the
95 session is insecure, some programs like opiekey will refuse to run
96 because they prompt the user to send a secret pass phrase. Sometimes
97 these checks declare a session insecure when it is, and sometimes the
98 user wants to continue anyway even if the session is insecure. If this
99 option is enabled, many commands gain a '-f' option to force them to
100 operate even if OPIE thinks the session is insecure.
102 --enable-anonymous-ftp Enable anonymous FTP support
103 By default, the OPIE FTP daemon does not support anonymous FTP
104 service. The FTP daemon contains many security related bug fixes
105 relative to the original source, but bugs probably remain. It was not
106 intended to be used for anonymous FTP, where it is more open to the
107 commands of potentially hostile users. If you enable this option, it
108 will once again support anonymous FTP, but it probably isn't secure
111 --disable-utmp Disable utmp logging
112 --disable-wtmp Disable wtmp logging
113 On some systems, logging to the utmp and/or wtmp files is just a lost
114 cause. If this is the case on your system, you might be better off
115 not having OPIE even try.
117 --enable-opieauto Enable support for opieauto
118 opieauto is a facility that caches an intermediate result of the OTP
119 generator so that a user-selected number of OTPs can be generated on
120 demand for each time the user types in the secret pass phrase. This
121 is great for user convenience, as typing a twenty or thirty character
122 secret pass phrase can be annoying. It can also be a minor security
123 hole (see the README for details).
127 The Makefile contains some options that you may wish to modify. Also
128 verify that Autoconf chose the correct options for your system.
130 The Makefile created by Autoconf should be correct for most users
135 Normally, you will need to type:
139 If you only want to build the client programs, type:
143 If you only want to build the server programs, type:
147 4. Verify that OPIE works on your system and install
149 Normall, you will need to type:
153 If you only want to install the client programs, type:
157 If you only want to install the server programs, type:
161 If you encounter any problems, you may be able to run "make uninstall"
162 to remove the OPIE software from your system and revert back to almost the
163 way things were before.
168 %%% portions-copyright-cmetz-96
169 Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
170 Reserved. The Inner Net License Version 2 applies to these portions of
172 You should have received a copy of the license with this software. If
173 you didn't get a copy, you may request one from <license@inner.net>.
175 Portions of this document are Copyright 1995 by Randall Atkinson and Dan
176 McDonald, All Rights Reserved. All Rights under this copyright are assigned
177 to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
178 License Agreement applies to this software.