OPIEACCESS(5)OPIEACCESS(5)NAME
/etc/opieaccess - OPIE database of trusted networks
DESCRIPTION
The opieaccess file contains a list of networks that
are considered trusted by the system as far as secu‐
rity against passive attacks is concerned. Users from
networks so trusted will be able to log in using OPIE
responses, but not be required to do so, while users
from networks that are not trusted will always be
required to use OPIE responses (the default behav‐
ior). This trust allows a site to have a more gentle
migration to OPIE by allowing it to be non-mandatory
for "inside" networks while allowing users to choose
whether they with to use OPIE to protect their pass‐
words or not.
The entire notion of trust implemented in the opieac‐
cess file is a major security hole because it opens
your system back up to the same passive attacks that
the OPIE system is designed to protect you against.
The opieaccess support in this version of OPIE exists
solely because we believe that it is better to have
it so that users who don't want their accounts broken
into can use OPIE than to have them prevented from
doing so by users who don't want to use OPIE. In any
environment, it should be considered a transition
tool and not a permanent fixture. When it is not
being used as a transition tool, a version of OPIE
that has been built without support for the opieac‐
cess file should be built to prevent the possibility
of an attacker using this file as a means to circum‐
vent the OPIE software.
The opieaccess file consists of lines containing
three fields separated by spaces (tabs are properly
interpreted, but spaces should be used instead) as
follows:
Field Description
action "permit" or "deny" non-OPIE logins
address Address of the network to match
mask Mask of the network to match
Subnets can be controlled by using the appropriate
address and mask. Individual hosts can be controlled
by using the appropriate address and a mask of
255.255.255.255. If no rules are matched, the default
is to deny non-OPIE logins.
SEE ALSOftpd(8)login(1), opie(4), opiekeys(5),
opiepasswd(1), opieinfo(1), su(1),
AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M.
Haller, and John S. Walden of Bellcore. OPIE was cre‐
ated at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research
(Bellcore).
CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mail‐
ing list. To join, send an email request to:
skey-users-request@thumper.bellcore.com
7th Edition January 10, 1995 OPIEACCESS(5)