NRL OPIE Software Distribution, Release 2.01         Installation Instructions
============================================         =========================

	Did you read the README file?

	If not, please go do so, then come back here. There is information in
the README file that you will probably need to know in order to build and use
OPIE, and you are better off doing it before you try to compile and install
it.

Quick Installation
==================

	If your system has been tested with OPIE, we have provided reasonable
defaults for it that should work. If you would like to use our configuration
defaults for OPIE and believe that there is nothing out of the ordinary about
your system that would cause our defaults to be incorrect, you can use the
quick installation procedure to get up and running with OPIE in a matter of
a few minutes (your mileage may vary, of course, depending on your system 
performance). If you encounter any problems, please go through the real 
installation procedure before blaming the OPIE software.

	In order to use the quick installation method, you need to know two
things: the System name for your system and the Target for what you want to 
do. You already know the System because you read the README file. This leaves 
you with the choice of a Target. The two sensible options that you have here 
are to follow the full instructions for building OPIE starting at Step 3, in 
which case the Target is whatever follows the "make" command, or to thow 
caution to the wind and let OPIE do its way with your system, in which case 
the Target is "install". Once you have these two pieces of information, your 
make command is "make <System>-<Target>".

	Two examples of doing things this way are "make bsdos-install" and
"make 44bsd-all". You can also use just "Make <System>" as a shorthand if
the Target is "all".

Installing NRL OPIE the Right Way
=================================

	For these instructions, we assume that you are on the system console.
There is no secure way to install OPIE without being on the system console.

	In order to install OPIE, you will need to have access to an account
with superuser (root) priveleges as well as access to an account with normal
user priveleges. After unpacking the OPIE source distribution, make sure that
the permissions of the directory that contains the distribution as well as
all of the directories above it allow both of these accounts to access the
distribution directory.

	These instructions also assume that the destination directory for the
OPIE binaries that you set in the Makefile is in the PATH of the user used to
test most of the system. It is usually a security risk to have local binary
directories (for example, /usr/local/bin) in the PATH of a superuser-priveleged
account. This also assumes that you have not disabled certain network services
such as telnet, FTP, and rlogin. If you have, please skip the appropriate
steps.

 0. Back up your system! If you don't have a backup and either the OPIE
    software or a mistake on your part results in your system being trashed,
    it's *your* fault and *your* problem! We don't expect this to ever 
    happen, but if it does, you should have a backup handy so you can fix it.

 1. Edit the Makefile and make the changes appropriate for your system. For 
    platforms OPIE has been tested on, you should be able to simply uncomment 
    the appropriate parameters. For others, you will need to supply your own 
    values for many of the parameters.

 2. Type "make realclean" to remove any previous build files, then type
    "make" to compile the OPIE software.

 3. Get into a superuser (root) shell.

 4. DO NOT EXIT THE SUPERUSER SHELL UNTIL INSTRUCTED TO DO SO. Doing so could
    leave you in a bad position should the OPIE software not work properly.

 5. Type "./opiepasswd -c <username>", where the <username> parameter specifies
    the name of the normal account you will use to test OPIE. Enter a 
    temporary secret pass phrase that is at least ten characters long.
    opiepasswd will give you an output at the end something like:

ID kebe OPIE key is 499 wi80161
TOG HIND BULB GIN FOLD CALF

 6. Type "./opiekey 499 <seed>", where the <seed> parameter is the seed given 
    to you by opiepasswd (in this example, wi80161). Enter the same secret
    pass phrase you used for opiepasswd. Check to make sure that the six word 
    response given to you by opiekey is the same as the one given to you by 
    opiepasswd. If it is not, repeat (5) and (6) once more. If they continue 
    to differ, the OPIE software is not working properly on your machine.

 7. Type "make test". This will install the OPIE software into your local
    directories, but will not replace the system binaries login, su, and ftpd.
    If you encounter any errors, make sure to fix them before moving on.

 8. Type "opiekey -n 7 499 <seed>", where <seed> is the same as the one you 
    used in (6). Remember this time to omit the "./" part. Make sure the 
    output on the line for "499" is the same as what you got from opiepasswd 
    and from (6). If you get an error telling you that opiekey cannot be
    found, make sure the place you specified for BINDIR in the Makefile
    (usually /usr/local/bin) is in your PATH. Write down the output from this
    program on the lines starting with 495, 496, 497, and 498 -- you will need
    it for later steps.

 9. Type "./opiesu <username>", where <username> is the same name you used in 
    (5).

10. Type "./opiesu <username>" again. It should now ask you for a password. 
    Press the enter key once. It should say "(echo on)" and ask you for a 
    password again. Enter the six words (and only the six words) on the line 
    starting with 498 that you got from (8). If it says "Sorry", repeat this
    once. If it still says "Sorry", the OPIE software is not working properly 
    on your machine. 

11. Type "./opiesu -c <username>". It should now ask you for a password after
    admonishing you to never run it this way from remote. Enter the normal,
    system password for the user. If it tells you that you don't seem to be
    on the console or says "Sorry" even after repeating this step once more,
    then the OPIE software is not working on your system.

12. Type "opieinfo". You should get a response like:

497 wi80161

    Check to make sure the second part matches the <seed> you've been using. 

13. Type "./opielogin <username>", where <username> is the username you have 
    been using. It should now ask you for a password. Press the enter key 
    once. It should say "(echo on)" and ask you for a password again. Enter
    the six words (and only the six words) on the line starting with 497 that
    you got from (8). If it responds with "Login incorrect", repeat this once.
    If it still says "Login incorrect", the OPIE software is not working 
    properly on your machine. If it works, but displays your message of the 
    day twice, you need to change the setting of MOTD to zero in the Makefile
    and start over.

14. Type "exit" four times. You should now be back to your original superuser
    shell.

15. Type "make install". This will install the OPIE replacements for login,
    su, and ftpd. The installation process will try to rename your old
    programs to their original names with an extension of ".opie.old".
    WARNING: IF FILES WITH THOSE NAMES ALREADY EXIST, THEN YOUR OLD PROGRAMS
    WILL NOT BE BACKED UP!

16. Type "ftp localhost". Enter the username you have been using at the prompt.
    Check to see that you receive a line that reads something like:

331 OTP response otp-md5 496 wi80161 required for kebe.

    If you do not see a line like this, then you either did not install the
    OPIE replacement program in the proper directory (in which case, you need
    to change the value in the Makefile and start over) or you are using an
    "enhanced" client program that will not allow users to see challenges, in
    which case you need to contact the author of your "enhanced" client for an
    updated version that fixes this deficiency.

    If you do see a line like this, then enter the six words on the line 
    starting with 496 that you got from (8). Note that they will not echo.
    Type "lcd /tmp", then type "cd <opiedir>", where <opiedir> is the 
    directory where the OPIE software distribution is located. Type "dir" and 
    make sure that you get a listing. Then type "get README". If you get any 
    errors or don't get a listing, the OPIE software is not working properly 
    on your machine. Type "quit".

17. Type "telnet localhost". When it asks for a login, enter the username
    that you have been using. Do the same thing as you did for (13), using
    the six words on the line starting with 495. 

18. Type "exit". 

19. Type "rlogin localhost -l username". Do the same thing as you did for 
    (13), using the six words on the line starting with 494. 

20. Type "exit". 

21. Type "opiepasswd -c root". Enter a temporary secret pass phrase for the
    root account that is at least ten characters long. Make sure you don't 
    forget it, but don't write it down.

22. Type "opiekey `opieinfo root`". Enter the secret pass phrase you used in
    (20). Write down the six words that it gives you.

23. Log out of the machine. (All the way out -- you can exit your
    superuser shell now)

24. Enter your user name at the appropriate prompt.

25. If you are given an OPIE challenge, make sure that it is not followed by
    "(OTP response required)". Enter the six words on the line
    starting with 493. Once you are logged in, log back out and enter
    your user name once again at the appropriate prompt. If you are
    not given an OPIE challenge, you need not worry -- some systems,
    especially those with graphical logins, will not support OPIE on the
    console. Since OPIE is not necessary on the console, this is not a
    problem.

26. Enter your normal password for the system (NOT your OPIE secret pass
    phrase). Check to make sure you can log in on the console correctly.

27. Type "su". You should be asked for an OPIE response. Enter the six words
    you got from (21).

28. Type "opiepasswd -c <superusername>". Enter a secret pass phrase for the
    superuser account. Make sure you don't forget this secret pass phrase, but
    don't write it down.

29. Type "opiepasswd -c <username>", where <username> is the user name you
    used earlier. Enter a permanent secret pass phrase for that account. 
    Again, make sure you don't forget the secret pass phrase, but don't write
    it down.

30. OPIE should now be installed and ready on your system. You should get all
    of your users to log in (on the console, if you can) and run "opiepasswd"
    to set a secret pass phrase for their accounts.

    If you encountered any problems, you may be able to run "make uninstall"
to remove the OPIE software from your system and revert back to almost the
way things were before. We make no claims as to this process actually working,
however. You are best advised to do this by hand.

Copyright
=========

Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
