From owner-freebsd-current  Sun Jan 20 16: 5: 6 2002
Delivered-To: freebsd-current@freebsd.org
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by hub.freebsd.org (Postfix) with ESMTP id D834B37B404
	for <current@FreeBSD.ORG>; Sun, 20 Jan 2002 16:04:55 -0800 (PST)
Received: (from ache@localhost)
	by nagual.pp.ru (8.11.6/8.11.6) id g0L04pZ27581;
	Mon, 21 Jan 2002 03:04:51 +0300 (MSK)
	(envelope-from ache)
Date: Mon, 21 Jan 2002 03:04:47 +0300
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Mark Murray <mark@grondar.za>, current@FreeBSD.ORG
Subject: Re: Step5, pam_opie OPIE auth fix for review
Message-ID: <20020121000446.GB27206@nagual.pp.ru>
References: <20020120220254.GA25886@nagual.pp.ru> <200201202314.g0KNEDt34526@grimreaper.grondar.org> <20020120233050.GA26913@nagual.pp.ru> <xzpvgdw1sqp.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <xzpvgdw1sqp.fsf@flood.ping.uio.no>
User-Agent: Mutt/1.3.24i
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

On Mon, Jan 21, 2002 at 00:56:46 +0100, Dag-Erling Smorgrav wrote:
> 
> What I can't understand is why OPIE is making that decision in the
> first place.  The only answer I can think of is that it was written
> before the advent of PAM, and tries to be a poor man's PAM.  That is
> not its place.

The basic OPIE/S-KEY idea under that was that normally only one-time
password is allowed, i.e. user is not allowed to type plaintext passwords
at all because connection treated as totally insecured one.

But for very special cases configured by sysadmin, like working in the 
same machine or trusted subnet, OPIE/S-KEY additionally allows plaintext 
password too, depending on its own configuration.

> In any case, if I understand what you're trying to do, it can be done
> by returning PAM_SUCCESS if OPIE authentication succeeded, PAM_IGNORE
> if it failed but Unix authentication is still allowed, and
> PAM_AUTH_ERR if OPIE failed and Unix authentication is *not* allowed.
> In that case, if you mark pam_opie "sufficient", pam_unix will run
> only if OPIE authentication failed but allowed Unix authentication to
> proceed.

It sounds good, I'll run a test case and inform you about results.

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message