diff options
Diffstat (limited to 'contrib/opie/INSTALL')
| -rw-r--r-- | contrib/opie/INSTALL | 178 |
1 files changed, 0 insertions, 178 deletions
diff --git a/contrib/opie/INSTALL b/contrib/opie/INSTALL deleted file mode 100644 index db23f84a2b76..000000000000 --- a/contrib/opie/INSTALL +++ /dev/null @@ -1,178 +0,0 @@ -OPIE Software Distribution, Release 2.4 Installation Instructions -======================================= ========================= - - Did you read the README file? - - If not, please go do so, then come back here. There is information in -the README file that you will probably need to know in order to build and use -OPIE, and you are better off doing it before you try to compile and install -it. - - OPIE uses Autoconf to automagically figure out as much as possible -about your system. There are four steps to installing OPIE. Please read them -all first before attempting to do them. - -1. Run the "configure" script. - - Normally, you will need to type: - - sh configure - - If you would like to use an access file to allow users from some hosts -to log into your system without using OTPs (thus opening up a big security -hole, but a necessary evil for some sites), type: - - sh configure --enable-access-file=/etc/opieaccess - - If you'd like the file to go somewhere else, adjust this appropriately. - - There are a number of configure-time options available for OPIE. You -probably don't want to change the defaults. To get a complete listing of the -currently available options, type: - - sh configure --help - - Some options that may be of interest are: - - --enable-access-file=FILENAME: Enable the OPIE access file FILENAME - The OPIE access file provides a system administrator with the ability - to make the use of OTP optional for certain hosts. Note that individual - users can create a file named ".opiealways" in their home directory to - require that OTP be used to access to their account. Note also that the - access file is based on addresses, but many of the clients that use it - are only given hostnames. This opens this entire scheme up to DNS - spoofing attacks, which is a major security problem. ALWAYS use a - package such as tcp_wrappers configured to do paranoid checking on DNS - information if you enable this option (it's good practice anyway). - - --enable-server-md4: Use MD4 instead of MD5 for the server - The old S/Key package used MD4 instead of MD5. MD4 is believed to be - less secure than MD5. Use this option only for compatibility with old - key files. - - --disable-user-locking: Disable user locking - OPIE only allows one session at a time to attempt to authenticate a - principal; this prevents a possible race attack on OTP. This locking - mechanism can cause problems in some applications, in which case you - might want to disable the locking. This option also provides a work- - around if the locking code doesn't work reliably on your system. - - --enable-user-locking[=DIR]: Put user lock files in DIR [/etc/opielocks] - The OPIE lock files need to be put in an isolated directory that is - only accessable by the super-user and has a parent directory that is - only writable by the super-user. If you are trying to use OPIE with - the key file shared by NFS, you need to make the lock directory - shared too. (But you read the README file, so you knew this) - - --enable-retype: Ask users to re-type their secret pass phrases - On the one hand, this helps prevent users from having to go generate - an OTP, type it into a remote system, and then found out they - mistyped. On the other hand, it's annoying. If this is enabled, users - can simply hit return at the second prompt and the generator will skip - the retype check, which allows users who don't like the retype check - to mostly skip it. - - --enable-su-star-check: Refuse to switch to disabled accounts - On many systems, an asterisk means one thing and one thing only: this - account is never meant for human users. Therefore, it doesn't make - much sense for anyone other than an attacker to try to su to that - account. Enabling this check causes su to refuse to switch to - accounts with an asterisk in their password field. While probably - better for security, this is not compatible with traditional *IX su - behavior, so it is disabled by default - - --disable-new-prompts: Use more compatible (but less informative) prompts - OPIE uses login prompts that tell you exactly what kind of response - (an OTP response and/or a cleartext password) it expects you to give. - This can break automatic login scripts that look for 'Password:' as - the prompt for the password. If you have users that use such scripts, - you might want to disable the more informative responses so as not to - break those scripts. - - --enable-insecure-override: Allow users to override insecure checks - While OPIE cannot determine whether or not a session is secure, it can - check for fairly common signs that it isn't secure. If it believes the - session is insecure, some programs like opiekey will refuse to run - because they prompt the user to send a secret pass phrase. Sometimes - these checks declare a session insecure when it is, and sometimes the - user wants to continue anyway even if the session is insecure. If this - option is enabled, many commands gain a '-f' option to force them to - operate even if OPIE thinks the session is insecure. - - --enable-anonymous-ftp Enable anonymous FTP support - By default, the OPIE FTP daemon does not support anonymous FTP - service. The FTP daemon contains many security related bug fixes - relative to the original source, but bugs probably remain. It was not - intended to be used for anonymous FTP, where it is more open to the - commands of potentially hostile users. If you enable this option, it - will once again support anonymous FTP, but it probably isn't secure - when that way. - - --disable-utmp Disable utmp logging - --disable-wtmp Disable wtmp logging - On some systems, logging to the utmp and/or wtmp files is just a lost - cause. If this is the case on your system, you might be better off - not having OPIE even try. - - --enable-opieauto Enable support for opieauto - opieauto is a facility that caches an intermediate result of the OTP - generator so that a user-selected number of OTPs can be generated on - demand for each time the user types in the secret pass phrase. This - is great for user convenience, as typing a twenty or thirty character - secret pass phrase can be annoying. It can also be a minor security - hole (see the README for details). - -2. Edit the Makefile - - The Makefile contains some options that you may wish to modify. Also -verify that Autoconf chose the correct options for your system. - - The Makefile created by Autoconf should be correct for most users -as-is. - -3. Build OPIE - - Normally, you will need to type: - - make - - If you only want to build the client programs, type: - - make client - - If you only want to build the server programs, type: - - make server - -4. Verify that OPIE works on your system and install - - Normall, you will need to type: - - make install - - If you only want to install the client programs, type: - - make client-install - - If you only want to install the server programs, type: - - make server-install - - If you encounter any problems, you may be able to run "make uninstall" -to remove the OPIE software from your system and revert back to almost the -way things were before. - -Copyright -========= - -%%% portions-copyright-cmetz-96 -Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights -Reserved. The Inner Net License Version 2 applies to these portions of -the software. -You should have received a copy of the license with this software. If -you didn't get a copy, you may request one from <license@inner.net>. - -Portions of this document are Copyright 1995 by Randall Atkinson and Dan -McDonald, All Rights Reserved. All Rights under this copyright are assigned -to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and -License Agreement applies to this software. |