Miscellaneous Procedures > OTP Configuration

OTP Configuration
As introduced in One Time Password Authentication on the OnSite, OPIE (one-time passwords in everything) software on the OnSite supports the one-time password (OTP) authentication method for some types of access.
As shown in Supported Authentication Types, the OTP authentication method and the OTP/Local fallback option are supported for serial ports, and the OTP authentication method is supported for dial-ins through modem, GSM, and CDMA PCMCIA cards.
Note: OTP authentication is not supported for logins to the OnSite or to KVM ports.
This section describes what the OnSite administrator must do to configure OTP authentication.
OnSite administrators must perform OTP configuration tasks in the order given in the following bulleted list:
An OnSite administrative user may also use the Web Manager or CLI to configure OTP authentication to be used for dial-ins to modem, GSM, and CDMA PCMCIA cards.
An OnSite administrative user may also use the Web Manager, OSD, or CLI to configure OTP or OTP/Local authentication methods for serial port logins or serial port dial-ins, when a modem is connected to a serial port configured for PPP access.
An OnSite administrator must make sure each user who needs to use OTP has a local account on the OnSite, is registered with the OTP system, and is able to obtain the OTP passwords, OTP username, and secret pass phrase needed for login.
The following table lists the OTP authentication configuration tasks and where they are documented.
Edit the /etc/otp.conf file to configure the location used for storage of OPIE databases.
Run the /bin/do_create_otpdb script to initialize OTP and mount the directory to be used for OPIE database storage.
Configure OTP or OTP/Local as the authentication method for access to all serial ports or individual serial ports.
CLI : cli> config physicalports [specify “all” or a port number from 1-8] access authtype [otp | otplocal]
Configure OTP authentication for dial-ins through PCMCIA modem, GSM, and CDMA cards.
CLI : cli> config network pcmcia [specify a slot number “1” or “2”] [specify modem | cdma | gsm ] otpauthreq
Make sure each user who needs to use OTP has a local user account, is registered with the OTP system, and is able to obtain the OTP username, OTP secret pass phrase, and OTP passwords needed for logins. See the following list for options:
 
 
Register each user yourself and give the OTP username and OTP secret pass phrase to each user.
Generate the needed OTP passwords on behalf of the each user and give them to each user.
 
Make sure users are equipped with an OTP generator that is not on the network to generate their own OTP passwords when challenged at login time.
User dials into the OnSite through a PCMCIA modem card that has been configured to use OTP authentication.
OnSite challenges with the sequence number and seed associated with the username and asks for a response.
User enters the sequence number, seed, and the secret pass phrase locally into a copy of opiekey on the user’s laptop and obtains an OTP password.
User answers the OnSite challenge with the OTP password and gets dial-in access to the OnSite.
For more details about OTP, see: http://www.freebsd.org/doc/en/books/handbook/one-time-passwords.html.

Miscellaneous Procedures > OTP Configuration