DragonFly On-Line Manual Pages
OPIEKEY(1) OPIEKEY(1)
NAME
opiekey, otp-md4, otp-md5 - Programs for computing
responses to OTP challenges.
SYNOPSIS
opiekey | otp-md4 | otp-md5 [-v] [-h] [-f] [-x]
[-t type ] [-4|-5] [-a] [-n count ] sequence_number
seed
DESCRIPTION
opiekey takes the optional count of the number of
responses to print along with a (maximum) sequence
number and seed as command line args. It prompts for
the user's secret pass phrase and produces an OPIE
response as six words. If compiled to do so, it can
prompt for the user's secret pass phrase twice to
help reduce errors due to mistypes. The second pass-
word entry can be circumvented by entering only an
end of line. opiekey is downward compatible with the
key(1) program from the Bellcore S/Key Version 1 dis-
tribution and several of its variants.
OPTIONS
-v Display the version number and compile-time
options, then exit.
-h Display a brief help message and exit.
-4, -5 Selects MD4 or MD5, respectively, as the
response generation algorithm. The default for
otp-md4 is MD4 and the default for opie-md5 is
MD5. The default for opiekey depends on com-
pile-time configuration, but should be MD5.
MD4 is compatible with the Bellcore S/Key Ver-
sion 1 distribution.
-f Force opiekey to continue, even where it nor-
mally shouldn't. This is currently used to
force opiekey to operate in even from termi-
nals it believes to be insecure. It can also
allow users to disclose their secret pass
phrases to attackers. Use of the -f flag may
be disabled by compile-time option in your
particular build of OPIE.
-a Allows you to input an arbitrary secret pass
phrase, instead of running checks against it.
Arbitrary currently does not include '\0' or
'\n' characters. This can be used for back-
wards compatibility with key generators that
do not check passwords.
-n <count>
the number of one time access passwords to
print. The default is one.
-x Output the OTPs as hexadecimal numbers instead
of six words.
-t <type>
Generate an extended response of the specified
type. Supported types are:
word six-word
hex hexadecimal
init hexadecimal re-initialization
init-word six-word re-initialization
The re-initialization responses always gener-
ate the simple active attack protection.
EXAMPLE
wintermute$ opiekey -5 -n 5 495 wi01309
Using MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or
dial-in sessions.
Enter secret pass phrase:
491: HOST VET FOWL SEEK IOWA YAP
492: JOB ARTS WERE FEAT TILE IBIS
493: TRUE BRED JOEL USER HALT EBEN
494: HOOD WED MOLT PAN FED RUBY
495: SUB YAW BILE GLEE OWE NOR
wintermute$
BUGS
opiekey(1) can lull a user into revealing his/her
password when remotely logged in, thus defeating the
purpose of OPIE. This is especially a problem with
xterm. opiekey(1) implements simple checks to reduce
the risk of a user making this mistake. Better checks
are needed.
SEE ALSO
ftpd(8), login(1), opie(4), opiepasswd(1),
opieinfo(1), opiekeys(5), opieaccess(5), su(1)
AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M.
Haller, and John S. Walden of Bellcore. OPIE was cre-
ated at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research
(Bellcore).
CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mail-
ing list. To join, send an email request to:
skey-users-request@thumper.bellcore.com
7th Edition February 20, 1996 OPIEKEY(1)