From owner-freebsd-bugs@FreeBSD.ORG Sun Mar 26 22:20:12 2006 Return-Path: X-Original-To: freebsd-bugs@hub.freebsd.org Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E81916A41F for ; Sun, 26 Mar 2006 22:20:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCA0543D46 for ; Sun, 26 Mar 2006 22:20:11 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k2QMKBFt013658 for ; Sun, 26 Mar 2006 22:20:11 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k2QMKBik013654; Sun, 26 Mar 2006 22:20:11 GMT (envelope-from gnats) Resent-Date: Sun, 26 Mar 2006 22:20:11 GMT Resent-Message-Id: <200603262220.k2QMKBik013654@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Juan Francisco Rodriguez Hervella Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FD8816A420 for ; Sun, 26 Mar 2006 22:10:58 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B23143D46 for ; Sun, 26 Mar 2006 22:10:58 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k2QMAvan050733 for ; Sun, 26 Mar 2006 22:10:57 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id k2QMAvvq050730; Sun, 26 Mar 2006 22:10:57 GMT (envelope-from nobody) Message-Id: <200603262210.k2QMAvvq050730@www.freebsd.org> Date: Sun, 26 Mar 2006 22:10:57 GMT From: Juan Francisco Rodriguez Hervella To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: misc/94978: pam_opie module option without "no_fake_prompts" is not useful X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Mar 2006 22:20:12 -0000 >Number: 94978 >Category: misc >Synopsis: pam_opie module option without "no_fake_prompts" is not useful >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun Mar 26 22:20:11 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Juan Francisco Rodriguez Hervella >Release: FreeBSD-6.0-RELEASE #0 >Organization: Alma Technologies >Environment: FreeBSD-6.0 >Description: It's very easy to know if the account is not using opie passwords even if the option "no_fake_prompts" is remove fromt the pam_opie configuration, because the challenge varies randomly every time you try to log in, even when you fail. My concern is that "no_fake_prompts" is made an option, meaning it is not the default behaviour....the default behaviour should be the more secure....but even without "no_fake_prompts" the attacker can find out that the user account is not using opie in a very easy way. So in my humble opinion it is not enough to generate random opie challenges for accounts with opie disabled. Opie system should be able to issue the same challenge even for users with opie not enabled. Do you understand my concern ? am I right ? Is this diffiuclt to implement ? my answer to all these questions is.... I don't know :) >How-To-Repeat: enable opie passwords with "opiepasswd" command on a specific account. Then remove the option "no_fake_prompts" of /etc/pam.d/system. Finally try to log into an account without opie, without success a couple of times, and you will find out that the challenge varies very randomly...which suggests opie is not being used actually, because with opie enabled, if you fail to log in, the same challenge will be sent to you over and over....and if you've got success, the challenge will be decremented by one.... >Fix: >Release-Note: >Audit-Trail: >Unformatted: