From owner-freebsd-current Wed Jun 28 02:05:29 1995 Return-Path: current-owner Received: (from majordom@localhost) by freefall.cdrom.com (8.6.10/8.6.6) id CAA29461 for current-outgoing; Wed, 28 Jun 1995 02:05:29 -0700 Received: from wc.cdrom.com (wc.cdrom.com [192.216.223.37]) by freefall.cdrom.com (8.6.10/8.6.6) with ESMTP id CAA29453 for ; Wed, 28 Jun 1995 02:05:25 -0700 Received: from bunyip.cc.uq.oz.au (bunyip.cc.uq.oz.au [130.102.2.1]) by wc.cdrom.com (8.6.12/8.6.12) with SMTP id CAA25871 for ; Wed, 28 Jun 1995 02:05:19 -0700 Received: from cc.uq.oz.au by bunyip.cc.uq.oz.au id <01415-0@bunyip.cc.uq.oz.au>; Wed, 28 Jun 1995 19:03:09 +1000 Received: from netfl15a.devetir.qld.gov.au by pandora.devetir.qld.gov.au (8.6.10/DEVETIR-E0.3a) with ESMTP id TAA29713 for ; Wed, 28 Jun 1995 19:07:17 +1000 Received: by netfl15a.devetir.qld.gov.au (8.6.8.1/DEVETIR-0.1) id JAA07274; Wed, 28 Jun 1995 09:04:14 GMT Date: Wed, 28 Jun 1995 09:04:14 GMT From: Stephen Hocking Message-Id: <199506280904.JAA07274@netfl15a.devetir.qld.gov.au> To: current@freebsd.org Subject: More crypt stuff (fwd) Sender: current-owner@freebsd.org Precedence: bulk >Xref: pandora.devetir.qld.gov.au comp.security.misc:10184 comp.security.unix:13332 >Path: pandora.devetir.qld.gov.au!bunyip.cc.uq.oz.au!harbinger.cc.monash.edu.au!simtel!zombie.ncsc.mil!news.mathworks.com!europa.chnt.gtegsc.com!ra.nrl.navy.mil!itd!metz >From: metz@itd.itd.nrl.navy.mil (Craig Metz) >Newsgroups: comp.security.unix,comp.security.misc >Subject: Announcing NRL OPIE 2.0 >Date: 27 Jun 1995 18:39:18 GMT >Organization: Information Technology Division, Naval Research Laboratory >Lines: 101 >Message-ID: <3spj8m$5um@ra.nrl.navy.mil> >NNTP-Posting-Host: itd-fddi.nrl.navy.mil Announcing NRL OPIE 2.0 ======================= We are pleased to announce the public release of the U.S. Naval Research Laboratory's One-Time Passwords in Everything (OPIE) Version 2.0 Software Distribution. OPIE provides a one-time password system for POSIX- compliant UNIX-like operating systems. The system should be secure against the passive attacks now commonplace on the Internet (see RFC 1704 for more details). The system is vulnerable to active dictionary attacks, though these are not widespread at present and can be detected through proper use of system audit software. The NRL OPIE software is derived in part from and is backwards compatible with the Bell Communications Research (Bellcore) S/Key(TM) Version 1 Software Distribution. Because Bellcore claims "S/Key" as a trademark for their software, NRL has been forced to use a different name (we picked "OPIE") for its software distribution. NRL OPIE includes the following additions/modifications to the original Bellcore S/Key(TM) Version 1 software: * Just about one-command installation for many common platforms. While we still recommend that you follow instructions and test things by hand, the more adventurous can install OPIE quickly. * A modified BSD FTP daemon that does OPIE. The small and simple BSD ftpd(8) was deliberately chosen over the wuarchive ftpd(8) because we didn't have the time needed to convince ourselves that the wuarchive ftpd(8) didn't have any security holes lurking in its many extra features. * By default, the "su" binary always gives you an OPIE challenge, even on the console. This was a hole for rlogin/telnet sessions in the original S/Key software. * MD5 support. MD5 is now the default algorithm, though MD4 is still supported by changing a parameter in the Makefile. This change was made because MD5 is widely believed to be cryptographically stronger than MD4 (see RFC 1321). * A more portable version of MD4 has been substituted for the original MD4. This should solve many of the endian problems. * Most of the system-dependencies have been moved to a new file "opie_cfg.h". * Configuration options have been moved to the Makefile. * Isolated system dependencies (e.g. BSDisms) with appropriate #ifdefs. * Revised the opiekey(1) program to simultaneously support MD4 and MD5, with the default algorithm being tunable using the MDX symbol in the Makefile. * More operating systems are supported by NRL OPIE as of Release 2, but older BSD systems that aren't close to being compliant with the POSIX standard are no longer supported. * Transition mechanisms are optional to prevent potential back doors. * On systems using the /etc/opieaccess transition mechanism, users can choose to require the use of OPIE to login to their accounts when it would otherwise be optional. * Bug fixes * Cosmetic changes * Changes to mostly conform with the draft Internet OTP standard. Tested Configurations ===================== We have tested OPIE on the following platforms: Hardware Operating System Referred to as System -------- ---------------- -------------- --------- Sun SPARCStation 20 Solaris 2.4 Solaris solaris Sun 4/300 SunOS 4.1.3 SunOS sunos Sun SPARCStation 2 4.4BSD-Encumbered 4.4BSD 44bsd 486/66 PC BSDI BSD/OS 1.1 & 2.0 BSD/OS bsdos 486/66 PC Slackware Linux 2.1 Linux linux SGI Indigo^2 IRIX 5.2 IRIX irix HP 9000/750 HP-UX 9.01 HP-UX9 hpux9 HP 9000/755 HP-UX 10.0 HP-UX10 hpux10 IBM RS/6000 550 AIX 3.2.5 AIX aix Additionally, we have received information from beta testers from which we believe OPIE to work on the following additional platforms: Hardware Operating System Referred to as System -------- ---------------- -------------- --------- 486 PC FreeBSD FreeBSD freebsd 486 PC NetBSD NetBSD netbsd Trademarks ========== S/Key is a trademark of Bell Communications Research (Bellcore). UNIX is a trademark of Unix Systems Laboratories. NRL is a trademark of the U. S. Naval Research Laboratory. OPIE is in the public domain and hence cannot be legally trademarked by anyone. Availability ============ NRL OPIE 2.0 is copyrighted but freely available. It is now available