Skip site navigation (1)Skip section navigation (2) 
Date:      21 Jan 2002 01:17:44 +0100
From:      Dag-Erling Smorgrav <des@ofug.org>
To:        "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc:        Mark Murray <mark@grondar.za>, current@FreeBSD.ORG
Subject:   Re: Step5, pam_opie OPIE auth fix for review
Message-ID:  <xzpn0z81rrr.fsf@flood.ping.uio.no>
In-Reply-To: <20020121000446.GB27206@nagual.pp.ru>
References:  <20020120220254.GA25886@nagual.pp.ru> <200201202314.g0KNEDt34526@grimreaper.grondar.org> <20020120233050.GA26913@nagual.pp.ru> <xzpvgdw1sqp.fsf@flood.ping.uio.no> <20020121000446.GB27206@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
"Andrey A. Chernov" <ache@nagual.pp.ru> writes:
> The basic OPIE/S-KEY idea under that was that normally only one-time
> password is allowed, i.e. user is not allowed to type plaintext passwords
> at all because connection treated as totally insecured one.
> 
> But for very special cases configured by sysadmin, like working in the 
> same machine or trusted subnet, OPIE/S-KEY additionally allows plaintext 
> password too, depending on its own configuration.

That's what PAM is for.  If fixed (not necessary plaintext!) passwords
are allowed, the admin will mark pam_opie as "sufficient" and place
pam_unix below it; if they're not, he'll just remove pam_unix.

The current system, BTW, leaves the policy in the hands of the user,
as she can create or remove ~/.opie_always at will.  A security policy
which is based on letting the user decide what is sufficient
authentication and what is not is not a proper security policy.

> > In any case, if I understand what you're trying to do, it can be done
> > by [...]
> It sounds good, I'll run a test case and inform you about results.

Actually, that idea won't work, because PAM will ignore PAM_AUTH_ERR
from a "sufficient" module.  A "requisite" helper module, placed after
pam_opie, which fails if ~/.opie_always exists would do the trick, if
one really wanted this.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpn0z81rrr.fsf>