3.52. <AuthBy OPIE> Previous topic Parent topic Child topic Next topic

This clause allows authentication from OPIE (One time Passwords In Everything), a one-time password system based on S/Key, and written by Craig Metz. AuthBy OPIE requires opie-2.4 or better and Authen::OPIE 1.0. Both are part of CPAN. For more information, see Section 2.1.2. CPAN. OPIE is only supported in Unix platforms. It can be used with PAP, but not CHAP or MS-CHAP. It can also be used with EAP-One-Time-Passwords and EAP-Generic-Token-Card authentication in 802.1X wired and wireless networks.
OPIE is a one-time password system that prompts an intending user with a Challenge. The user enters the challenge into a password calculator program which then tells them the one-time password to use. A one-time password is 6 short words, separated by spaces. A one-time password can only be used successfully once. Next time you log in, you will be prompted with a different challenge and a different password will be required. Opie can also generate lists of one-time passwords that can be used in sequence without prompts.
<AuthBy OPIE> interfaces directly to OPIE using the OPIE Perl module. If you attempt to log in with an empty password, <AuthBy OPIE> will issue an Access-Challenge, with the Reply-Message containing the OPIE Challenge that must be entered into the password calculator. The user can then use the Response from the calculator as the password for the next attempt.
CAUTION
Not all PPP clients will show the user the contents of the Reply-Message. If that is the case with your users, they will not be able to see the challenge, and hence will not be able to log in with OPIE.
Tip
On Windows, in order to do interactive login, and so the end user can see the OPIE challenge and enter the response, enable ‘Show terminal window’ for the dial-up connection.
When using <AuthBy OPIE>, Radiator must usually be run as root, so it can get access to the OPIE password database, typically in /etc/opiekeys.
<AuthBy OPIE> understands the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.26. <AuthBy xxxxxx>.
<Realm DEFAULT>
      <AuthBy OPIE>
            DefaultReply Service-Type=Framed-User,\
                  Framed-Protocol=PPP
      </AuthBy>
</Realm>