Administration Tasks Not Performed in the Web Manager : How Users are Registered with OTP and Obtain OTP Passwords

How Users are Registered with OTP and Obtain OTP Passwords
All users who need to use OTP authentication must have a local account on the OnBoard appliance, must be registered with the OTP system and must be able to obtain OTP passwords.
The OPIE commands in the following bulleted list must be executed with the -c option while the user is logged in locally through the OnBoard appliance’s console port:
The requirement for local logins through the console port is enforced for regular users because running the commands through a dial-in or other unsecure connection may expose the user passwords, pass phrases and OTP passwords. The root user can execute these commands without the -c option while logged in over ssh because ssh provides a secure path. These commands should never be executed over a dial-in or telnet connection:
OTP passwords are generated in one of the two following ways:
By the user or administrator executing the opiekey command: If opiekey command is executed by an administrator on behalf of a user, the administrator must give the OTP username and the user’s secret pass phrase to each user along with the generated OTP passwords
By the user with a password generating device: If a user has a password generating device, then the user generates the OTP password when challenged at login using the username and secret pass phrase, along with the seed and sequence number that are displayed along with the OTP challenge.
To register and generate OTP passwords for users:
The following procedure shows an example of an administrator logging in locally through the console port, registering a user and generating OTP passwords for the user. The example shows using cycli to add the user, but any of the tools available for adding users, including the Web Manager, may be used to configure the user account beforehand.
1.
2.
If using the cycli utility to add the user, do the following steps.
a.
The following screen example shows using the cycli utility to add user joe and set the user’s password to joes_passwd.
b.
NOTE: Adding users through the Web Manager adds them as normal UNIX users and as onboard users without requiring a separate step.
c.
3.
Enter the opiepasswd command to register the user.
The following example shows using opiepasswd with the -c option while logged in locally through the OnBoard appliance console port. If you are logged into the OnBoard appliance’s console using ssh, do not use the -c option. The example uses joe as the username and joes secret pass phrase as the secret pass phrase.
NOTE: The secret pass phrase is not the same as the user’s regular login password.
In the example, the opiepasswd command generates a default OPIE sequence number of 499 and a creates a seed (or key) from the first two letters of the hostname and a pseudo random number, in the example on93564.
[root@OnBoard /]# opiepasswd -c joe
Adding joe
Reminder - Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses.
Enter new secret pass phrase: joes secret pass phrase
Again new secret pass phrase: joes secret pass phrase
 
ID joe OPIE key is 499 on93564
CITY MARY GLOW BIll MAY ARM
[root@OnBoard /]#
4.
If desired, enter opiekey to generate a number of passwords for the user.
5.
6.