1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
At the moment the only authentication method is via one time passwords
(OTP). I chose this method, because it reliefs me (and you) of dealing
with encrypted session (via HTTPS, e.g.) which is web-server specific
and ugly (you need a certificate, etc. ).
The OTPS are implemented as proposed in RFC 1938. They are
cryptographically secure until someone breaks the MD5-Hashfunction...
The reason I chose this this protocol is that it is a standard and
there's a client for my Palm Pilot ;-)
The Handheld client is free for non-commercial use and available at:
http://astro.uchicago.edu/home/web/valdes/pilot/pilOTP/
So how does this work...
1. make up a passphrase which must be between 10 and 63 characters.
2. make up seed, which can (and should) be short (like three letters)
3. chosse the number of times you want to be able to login without
reinitializing the server (the bigger the number is, the longer it
takes to compute the OTP on the client side).
4. If you have a client-program (e.g. for your Handheld) goto 6
If you don't got for 5
5. generate a list of OTPs with ./generate_otp.pl runs seed passphrase
(remember to put the passphrase into '' if it contains spaces)
6. run ./initialize otp.pl
choose the last six words on your list OR
generate the six words with your client
enter the information you are asked for
you are done.
Everytime you want to log in, you will be presented with a
challenge. You have to compute (or look up) the appropriate six words
and enter them.
|
