Date: Tue, 4 Nov 2003 00:56:32 +0600 (OMST) From: Sergey Sysoev <ssa@avtf.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/58893: OPIE implementation bug Message-ID: <200311031856.hA3IuWMV019094@faeton1.ru> Resent-Message-ID: <200311031900.hA3J0VSY002791@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 58893 >Category: bin >Synopsis: OPIE implementation bug >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Nov 03 11:00:30 PST 2003 >Closed-Date: >Last-Modified: >Originator: Sergey Sysoev >Release: FreeBSD 4.9-RELEASE i386 >Organization: >Environment: System: FreeBSD srv.faeton1.ru 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Thu Oct 30 19:18:45 OMST 2003 ssa@srv.faeton1.ru:/usr/src/sys/compile/SRV i386 >Description: 1. opiepasswd produce incorrect seed output during password change 2. opiekey produce incorrect response in case of 0 (zero) sequence number 3. pam_opie.so can allow login attempts in case with negative sequence number >How-To-Repeat: *** 1 *** opiepasswd/opiekey I've added user using `opiepasswd -c "ssa"` mx2# opiepasswd -c "ssa" Adding ssa: Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter new secret pass phrase: Again new secret pass phrase: ID ssa OTP key is 499 mx1759 WADE IFFY LAWN MEAD DANG BUB mx2# And now I want to change it mx2# opiepasswd "ssa" Updating ssa: You need the response from an OTP generator. New secret pass phrase: otp-md5 499 mx17 Response: You see that seed equal 'mx17', using opiekey: mx2# opiekey 499 mx17 Using the MD5 algorithm to compute response. Seeds must be greater than 5 characters long. mx2# So it is not possible to update password in /etc/opiekey file, you have to edit it manually and that add password again via 'opiepasswd'. *** 2*** opiekey opiekey could not generate response for zero sequence number when it specified directly: mx2# opiekey -a 0 vo6199 Using the MD5 algorithm to compute response. Sequence number 0 is not positive. but it works fine in case of: mx2# opiekey -n5 1 vo6199 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: 0: OAK SEW CULT FALL AX WAND 1: BOUT AID SOOT BUT SIT BILK mx2# *** 3 *** pam_opie.so After successful login with 0 (zero) sequence number, trying to do it again (sequence number has been decreased, right?) mx2# ssh ssa@192.168.90.250 otp-md5 -1 (null) ext Password: Is it impossible to calculate response to '-1' so trying to use any password to skip pam_opie and login with next pam module. But here login hangs and there is _no_way_ to login remotely because pam_opie.so is the top line of pam.conf After about 1-2 minutes timeout with "Connection closed by 192.168.90.250" >Fix: correct opiepasswd/opiekey checking rules and output pam_opie.so, to check seq.number before processing login, at seq.number eq zero reinit it simultaneously with different seed reinitialization for the same passphrase? >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200311031856.hA3IuWMV019094>