OPIEACCESS(5)             FreeBSD File Formats Manual            OPIEACCESS(5)

NAME
       /etc/opieaccess - OPIE database of trusted networks

DESCRIPTION
       The opieaccess file contains a list of networks that
       are considered trusted by the system as far as
       security against passive attacks is concerned. Users
       from networks so trusted will be able to log in using
       OPIE responses, but not be required to do so, while
       users from networks that are not trusted will always
       be required to use OPIE responses (the default
       behavior). This trust allows a site to have a more
       gentle migration to OPIE by allowing it to be non-
       mandatory for "inside" networks while allowing users
       to choose whether they with to use OPIE to protect
       their passwords or not.

       The entire notion of trust implemented in the
       opieaccess file is a major security hole because it
       opens your system back up to the same passive attacks
       that the OPIE system is designed to protect you
       against. The opieaccess support in this version of
       OPIE exists solely because we believe that it is
       better to have it so that users who don't want their
       accounts broken into can use OPIE than to have them
       prevented from doing so by users who don't want to
       use OPIE. In any environment, it should be considered
       a transition tool and not a permanent fixture. When
       it is not being used as a transition tool, a version
       of OPIE that has been built without support for the
       opieaccess file should be built to prevent the
       possibility of an attacker using this file as a means
       to circumvent the OPIE software.

       The opieaccess file consists of lines containing
       three fields separated by spaces (tabs are properly
       interpreted, but spaces should be used instead) as
       follows:

       Field         Description
       action        "permit" or "deny" non-OPIE logins
       address       Address of the network to match
       mask          Mask of the network to match

       Subnets can be controlled by using the appropriate
       address and mask. Individual hosts can be controlled
       by using the appropriate address and a mask of
       255.255.255.255. If no rules are matched, the default
       is to deny non-OPIE logins.

SEE ALSO
       ftpd(8) login(1), opie(4), opiekeys(5),
       opiepasswd(1), opieinfo(1), su(1),

AUTHOR
       Bellcore's S/Key was written by Phil Karn, Neil M.
       Haller, and John S. Walden of Bellcore. OPIE was
       created at NRL by Randall Atkinson, Dan McDonald, and
       Craig Metz.

       S/Key is a trademark of Bell Communications Research
       (Bellcore).

CONTACT
       OPIE is discussed on the Bellcore "S/Key Users"
       mailing list. To join, send an email request to:

       skey-users-request@thumper.bellcore.com

7th Edition           January 10, 1995         OPIEACCESS(5)