Administration Tasks Not Performed in the Web Manager : Specifying the Location for the OTP Databases

Specifying the Location for the OTP Databases
As configured on the OnBoard appliance, OTP expects its user databases to reside in /mnt/opie/etc. The OnBoard appliance’s resident Flash memory does not provide a directory for the OTP databases. Onboard administrator must mount a device on /mnt/opie. You may use a compact Flash PCMCIA card or an NFS-mounted directory.
To configure a compact Flash card for OTP, the root user logs into the OnBoard appliance’s console and runs the /bin/do_create_cf_ext2 script on the command line. The script does the following:
To configure a PC compact Flash card for OTP database storage:
1.
2.
Enter the /bin/do_create_cf_ext2 script on the command line.
To configure a NFS-mounted directory for OTP database storage:
1.
2.
3.
[root@OnBoard /]# cycli -CF set service rpc enable yes
4.
The following screen example uses nfs_server.avocent.com as the NFS server name and
/home/opie as the exported directory’s name.
[root@OnBoard /]# mount -t nfs nfs_server.avocent.com:\
/home/opie /mnt/opie
5.
[root@OnBoard /]# mkdir /mnt/opie/etc
[root@OnBoard /]# touch /mnt/opie/etc/opiekeys
[root@OnBoard /]# chmod 0644 /mnt/opie/etc/opiekeys
[root@OnBoard /]# chown root:bin /mnt/opie/etc/opiekeys
To configure OTP authentication for modem or GSM phone card dial-ins:
1.
2.
Use vi or another text editor to open the /etc/mgetty.login.config file for editing and find this entry: * - - /bin/login.
3.
4.
To configure OTP authentication for SSH or console logins:
This procedure manually configures Telnet or SSH logins to the console with either the OTP or OTP/Local authentication method, and it also changes the targets of the symbolic links /etc/pam.d/sshd and /etc/pam.d/login to /etc/pam.d/[otp,otplocal].
NOTE: The Web Manager does not support OTP authentication.
1.
[root@OnBoard /]# cd /etc/pam.d
2.
CAUTION:If OTP is chosen, users (even root) may be locked out if not configured properly. You can test whether OTP is working by first changing only the symbolic link for login as shown in the following screen example and then attempting access using telnet. If the telnet login using an OTP password succeeds, you can safely change the method for ssh logins as described in step 3.
[root@OnBoard /]# ln -sf /etc/pam.d/otp login
-or-
[root@OnBoard /]# ln -sf /etc/pam.d/otplocal login
3.
[root@OnBoard /]# ln -sf /etc/pam.d/otp sshd
-or-
[root@OnBoard /]# ln -sf /etc/pam.d/otplocal sshd
NOTE: The cycli utility and the Web Manager may not display the correct authentication information when the symbolic links are changed manually.
To configure OTP authentication for a device:
This procedure manually configures a previously-configured device or devices to use the OTP or OTP/Local authentication method.
1.
2.
3.
authtype = otp
-or-
authtype = otplocal
4.