How Users are Registered with OTP and Obtain OTP PasswordsAll users who need to use OTP authentication must have a local account on the OnSite, must be registered with the OTP system, and must be able to obtain OTP passwords.The OPIE commands in the following bulleted list must be executed with the -c option while a user is logged in locally through the OnSite’s console port.
• The opiepasswd command to register users
• The opiekey command to generate OTP passwordsThe requirement for local logins through the console port is enforced for regular users because running the commands through a dial-up or other insecure connection can expose the user passwords, pass phrases, and OTP passwords. The root user can execute these commands without the -c option while logged in over ssh because ssh provides a secure path. The OPIE commands should never be executed over a dial-up connection.
• By the user or administrator executing the opiekey commandIf the opiekey command is executed by an administrator on behalf of a user, the administrator must provide the username and the secret pass phrase that were used to register the user to the user along with the generated OTP passwords.If a user has a password generating device, then the user generates the OTP password when challenged at login using the username and secret pass phrase, along with the seed and sequence number (the seed and sequence number are displayed along with the OTP challenge).The following procedure shows an example of an administrator logging in locally through the console port, registering a user, and generating OTP passwords for the user. The example shows running the adduser command to add the user, but any of the tools available for adding users, including the Web Manager, may be used to configure the user account beforehand.To Register and Generate OTP Passwords for UsersDo this procedure for each user who needs to use OTP authentication after To Enable OTP and Configure the Location for OTP Databases.
1. Log in locally through the OnSite’s Console port as root or use ssh to log into the OnSite’s console.Note: You can separately use the Web Manager to add users instead of doing this step.For example, the following screen shows using the adduser command to add user joe and set the user’s password to “joes_passwd.”
[root@OnSite /]# adduser joeNew password: joes_passwdRe-enter new password: joes_passwd
3. Enter the opiepasswd command to register the user.The following screen example shows using opiepasswd with the -c option while logged in locally through the OnSite’s CONSOLE port. If you are logged into the OnSite’s console using ssh, do not use the -c option.The example shows using “joe” as the username and “joes secret pass phrase” as the secret pass phrase.In the example, the opiepasswd command generates a default OPIE sequence number of 499 and a creates a key from the first two letters of the hostname and a pseudo random number, in the example ON93564.
[root@OnSite /]# opiepasswd -c joeReminder - Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses.Enter new secret pass phrase: joes secret pass phraseAgain new secret pass phrase: joes secret pass phrase
4. If needed, enter the opiekey command with the -c option to generate a number of passwords and supply them to the user.The following command line example uses the -n 5 option followed by the 498 to generate 5 passwords ending with sequence number 498.
Enter secret pass phrase: joes secret pass phrase
5. Give the OTP username, secret pass phrase, and any OTP passwords generated in this procedure to the user.