![]() |
All users who need to use OTP authentication must have a local account on the OnBoard appliance, must be registered with the OTP system and must be able to obtain OTP passwords.The OPIE commands in the following bulleted list must be executed with the -c option while the user is logged in locally through the OnBoard appliance’s console port:The requirement for local logins through the console port is enforced for regular users because running the commands through a dial-in or other unsecure connection may expose the user passwords, pass phrases and OTP passwords. The root user can execute these commands without the -c option while logged in over ssh because ssh provides a secure path. These commands should never be executed over a dial-in or telnet connection:
• By the user or administrator executing the opiekey command: If opiekey command is executed by an administrator on behalf of a user, the administrator must give the OTP username and the user’s secret pass phrase to each user along with the generated OTP passwords
• By the user with a password generating device: If a user has a password generating device, then the user generates the OTP password when challenged at login using the username and secret pass phrase, along with the seed and sequence number that are displayed along with the OTP challenge.The following procedure shows an example of an administrator logging in locally through the console port, registering a user and generating OTP passwords for the user. The example shows using cycli to add the user, but any of the tools available for adding users, including the Web Manager, may be used to configure the user account beforehand.The following screen example shows using the cycli utility to add user joe and set the user’s password to joes_passwd.
[root@OnBoard /]# cyclicli> add user joecli> set user joe passwd joes_passwd
b. NOTE: Adding users through the Web Manager adds them as normal UNIX users and as onboard users without requiring a separate step.
cli> add onboard user joe
cli> commitcli> exit
3. Enter the opiepasswd command to register the user.The following example shows using opiepasswd with the -c option while logged in locally through the OnBoard appliance console port. If you are logged into the OnBoard appliance’s console using ssh, do not use the -c option. The example uses joe as the username and joes secret pass phrase as the secret pass phrase.In the example, the opiepasswd command generates a default OPIE sequence number of 499 and a creates a seed (or key) from the first two letters of the hostname and a pseudo random number, in the example on93564.[root@OnBoard /]# opiepasswd -c joeReminder - Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses.Enter new secret pass phrase: joes secret pass phraseAgain new secret pass phrase: joes secret pass phraseID joe OPIE key is 499 on93564
4. If desired, enter opiekey to generate a number of passwords for the user.
5. Give the OTP username, secret pass phrase and any OTP passwords generated in this procedure to the user.
6. Save the changes by entering the saveconf command.