Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
OPIEACCESS(5)	     File Formats Manual       OPIEACCESS(5)

       /etc/opieaccess - OPIE database of trusted networks

       The  opieaccess file contains a list of networks	that
       are considered trusted by the system as far as  secu-
       rity against passive attacks is concerned. Users	from
       networks	so trusted will	be able	to log in using	OPIE
       responses,  but not be required to do so, while users
       from networks that are not trusted will always be re-
       quired  to use OPIE responses (the default behavior).
       This trust allows a site	to have	a more gentle migra-
       tion  to	 OPIE by allowing it to	be non-mandatory for
       "inside"	networks  while	 allowing  users  to  choose
       whether	they with to use OPIE to protect their pass-
       words or	not.

       The entire notion of trust implemented in the opieac-
       cess  file  is a	major security hole because it opens
       your system back	up to the same passive attacks	that
       the  OPIE  system is designed to	protect	you against.
       The opieaccess support in this version of OPIE exists
       solely  because	we believe that	it is better to	have
       it so that users	who don't want their accounts broken
       into  can  use  OPIE than to have them prevented	from
       doing so	by users who don't want	to use OPIE. In	 any
       environment,  it	 should	 be  considered	a transition
       tool and	not a permanent	fixture. When it is not	 be-
       ing used	as a transition	tool, a	version	of OPIE	that
       has been	built without  support	for  the  opieaccess
       file should be built to prevent the possibility of an
       attacker	using this file	as a means to circumvent the
       OPIE software.

       The  opieaccess	file  consists	of  lines containing
       three fields separated by spaces	(tabs  are  properly
       interpreted,  but  spaces  should be used instead) as

       Field	     Description
       action	     "permit" or "deny"	non-OPIE logins
       address	     Address of	the network to match
       mask	     Mask of the network to match

       Subnets can be controlled by  using  the	 appropriate
       address	and mask. Individual hosts can be controlled
       by using	 the  appropriate  address  and	 a  mask  of	If no rules are	matched, the default
       is to deny non-OPIE logins.

       ftpd(8)	   login(1),	  opie(4),	opiekeys(5),
       opiepasswd(1), opieinfo(1), su(1),

       Bellcore's  S/Key  was  written by Phil Karn, Neil M.
       Haller, and John	S. Walden of Bellcore. OPIE was	cre-
       ated  at	 NRL  by Randall Atkinson, Dan McDonald, and
       Craig Metz.

       S/Key is	a trademark of Bell Communications  Research

       OPIE is discussed on the	Bellcore "S/Key	Users" mail-
       ing list. To join, send an email	request	to:

7th Edition	      January 10, 1995	       OPIEACCESS(5)


Want to link to this manual page? Use this URL:

home | help