System information

How Users are Registered with OTP and Obtain OTP Passwords

68 AlterPath OnBoard Administrator’s Guide

4. Save and quit the file.

How Users are Registered with OTP and Obtain

OTP Passwords

All users who need to use OTP authentication must have a local account on

the OnBoard, must be registered with the OTP system, and must be able to

obtain OTP passwords.

The OPIE commands in the following bulleted list must be executed with the

-c option while the user is logged in locally through the OnBoard’s console

port:

•The opiepasswd command

•The opiekey command to generate OTP passwords

The requirement for local logins through the console port is enforced for

regular users because running the commands through a dial-up or other

insecure connection may expose the user passwords, pass phrases, and OTP

passwords to snoopers. The root user can execute these commands without the

-c option while logged in over ssh because ssh provides a secure path.

These commands should never be executed over a dial-up or telnet

connection:

OTP passwords are generated in one of the two following ways:

• By the user or administrator executing the opiekey command

If opiekey command is executed by an administrator on behalf of a

user, the administrator must give the OTP username and the user’s secret

pass phrase to each user along with the generated OTP passwords

• By the user with a password generating device

If a user has a password generating device, then the user generates the

OTP password when challenged at login using the username and secret

pass phrase, along with the seed and sequence number that are displayed

along with the OTP challenge). For details, see “Obtaining and Using

One-time Passwords for Dial-ins” in the AlterPath OnBoard User’s

Guide.

:wq