User`s guide

Miscellaneous Procedures 509
OTP Configuration
3. Perform the procedure under“To Register and Generate OTP Passwords for
Users” on page 510
.
How Users are Registered with OTP and Obtain
OTP Passwords
All users who need to use OTP authentication must have a local account on
the OnSite, must be registered with the OTP system, and must be able to
obtain OTP passwords.
The OPIE commands in the following bulleted list must be executed with the
-c option while a user is logged in locally through the OnSite’s console port.
•The opiepasswd command to register users
•The opiekey command to generate OTP passwords
The requirement for local logins through the console port is enforced for
regular users because running the commands through a dial-up or other
insecure connection can expose the user passwords, pass phrases, and OTP
passwords. The root user can execute these commands without the -c option
while logged in over ssh because ssh provides a secure path. The OPIE
commands should never be executed over a dial-up connection.
OTP passwords are generated in one of the two following ways:
By the user or administrator executing the opiekey command
If the opiekey command is executed by an administrator on behalf of a
user, the administrator must provide the username and the secret pass
phrase that were used to register the user to the user along with the
generated OTP passwords.
By the user with a password generating device (more likely scenario)
If a user has a password generating device, then the user generates the
OTP password when challenged at login using the username and secret
pass phrase, along with the seed and sequence number (the seed and
sequence number are displayed along with the OTP challenge).
The following procedure shows an example of an administrator logging in
locally through the console port, registering a user, and generating OTP
passwords for the user. The example shows running the adduser command
to add the user, but any of the tools available for adding users, including the
Web Manager, may be used to configure the user account beforehand.