From owner-freebsd-questions  Mon Jun 24 12:42:24 1996
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id MAA25136
          for questions-outgoing; Mon, 24 Jun 1996 12:42:24 -0700 (PDT)
Received: from mistery.mcafee.com (jimd@mistery.mcafee.com [192.187.128.69])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA25131
          for <freebsd-questions@freebsd.org>; Mon, 24 Jun 1996 12:42:21 -0700 (PDT)
Received: (from jimd@localhost) by mistery.mcafee.com (8.6.11/8.6.9) id MAA15177; Thu, 24 Jun 2010 12:53:27 -0700
From: Jim Dennis <jimd@mcafee.com>
Message-Id: <201006241953.MAA15177@mistery.mcafee.com>
Subject: Re: ppp with dynamic password
To: mark@seeware.DIALix.oz.au (Mark Hannon)
Date: Thu, 24 Jun 110 12:53:27 -0700 (PDT)
Cc: freebsd-questions@freebsd.org
In-Reply-To: <DtI7B5.6q@seeware.DIALix.oz.au> from "Mark Hannon" at Jun 24, 96 12:13:53 pm
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> Hi,
> 
> I have just started using a new dialin system to my employer.  The
> login script consists of a dynamically allocated password (the password
> is set by a little credit-card device which is synced to a master clock
> and generates the password).
> 
> Anybody with any ideas how to set this up with ppp??

	There is an obscure option with (some implementations of???)
	the shadow password suite -- where you specify an alternative
	authentication method in the master password file (/etc/master.passwd)
	like so:

ppp:@/usr/local/bin/secureID:1:31::0:0:Point-to-Point Protocol:/export/home:
jimd:$1$RxhpZpOH.:1000:1000::0:0:James T. Dennis:/home/jimd:/usr/local/bin/bash

	Note that the ppp entry above has a password that starts with an
	"@" ("at" sign) and then specificies a hypothetical program which
	will prompt for, read and validate a password.  I seem to recall 
	that I experimented with this briefly and confirmed that it worked
	under Solaris, Linux and FreeBSD.  The program specified should
	return a 0 exit value for a valid response and a non-zero to 
	signify non-authorization (I tested with a shell script -- that 
	would be *horribly* insecure in practice).


	Hope that helps.

Jim Dennis,
former System Administrator,
McAfee Associates