Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
OPIEACCESS(5)	     File Formats Manual       OPIEACCESS(5)

       /etc/opieaccess - OPIE database of trusted networks

       The  opieaccess file contains a list of networks	that
       are considered trusted by the system as far as  secu-
       rity against passive attacks is concerned. Users	from
       networks	so trusted will	be able	to log in using	OPIE
       responses,  but not be required to do so, while users
       from networks that are not  trusted  will  always  be
       required	 to  use  OPIE responses (the default behav-
       ior). This trust	allows a site to have a	more  gentle
       migration  to OPIE by allowing it to be non-mandatory
       for "inside" networks while allowing users to  choose
       whether	they with to use OPIE to protect their pass-
       words or	not.

       The entire notion of trust implemented in the opieac-
       cess  file  is a	major security hole because it opens
       your system back	up to the same passive attacks	that
       the  OPIE  system is designed to	protect	you against.
       The opieaccess support in this version of OPIE exists
       solely  because	we believe that	it is better to	have
       it so that users	who don't want their accounts broken
       into  can  use  OPIE than to have them prevented	from
       doing so	by users who don't want	to use OPIE. In	 any
       environment,  it	 should	 be  considered	a transition
       tool and	not a permanent	 fixture.  When	 it  is	 not
       being  used  as	a transition tool, a version of	OPIE
       that has	been built without support for	the  opieac-
       cess  file should be built to prevent the possibility
       of an attacker using this file as a means to  circum-
       vent the	OPIE software.

       The  opieaccess	file  consists	of  lines containing
       three fields separated by spaces	(tabs  are  properly
       interpreted,  but  spaces  should be used instead) as

       Field	     Description
       action	     "permit" or "deny"	non-OPIE logins
       address	     Address of	the network to match
       mask	     Mask of the network to match

       Subnets can be controlled by  using  the	 appropriate
       address	and mask. Individual hosts can be controlled
       by using	 the  appropriate  address  and	 a  mask  of	If no rules are	matched, the default
       is to deny non-OPIE logins.

       ftpd(8)	   login(1),	  opie(4),	opiekeys(5),
       opiepasswd(1), opieinfo(1), su(1),

       Bellcore's  S/Key  was  written by Phil Karn, Neil M.
       Haller, and John	S. Walden of Bellcore. OPIE was	cre-
       ated  at	 NRL  by Randall Atkinson, Dan McDonald, and
       Craig Metz.

       S/Key is	a trademark of Bell Communications  Research

       OPIE is discussed on the	Bellcore "S/Key	Users" mail-
       ing list. To join, send an email	request	to:

7th Edition	      January 10, 1995	       OPIEACCESS(5)


Want to link to this manual page? Use this URL:

home | help