From owner-freebsd-security@FreeBSD.ORG Sun Mar 6 21:38:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 027FB106566B for ; Sun, 6 Mar 2011 21:38:40 +0000 (UTC) (envelope-from simon@nitro.dk) Received: from smtp.fullrate.dk (smtp.fullrate.dk [90.185.1.42]) by mx1.freebsd.org (Postfix) with ESMTP id B46B78FC17 for ; Sun, 6 Mar 2011 21:38:39 +0000 (UTC) Received: from [192.168.4.26] (4304ds2-vlb.1.fullrate.dk [90.184.171.166]) by smtp.fullrate.dk (Postfix) with ESMTP id 975F09D039; Sun, 6 Mar 2011 22:22:18 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: "Simon L. B. Nielsen" In-Reply-To: Date: Sun, 6 Mar 2011 22:22:18 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> References: To: Alexander Sack X-Mailer: Apple Mail (2.1082) Cc: freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2011 21:38:40 -0000 On 3 Mar 2011, at 18:23, Alexander Sack wrote: > On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack = wrote: >> Hello: >>=20 >> I am a bit confused! I am reading the FIPS user guide and the >> following document: >>=20 >> http://www.openssl.org/docs/fips/fipsnotes.html >>=20 >> I quote >>=20 >> "If even the tiniest source code or build process changes are = required >> for your intended application, you cannot use the open source based >> validated module directly. You must obtain your own validation. This >> situation is common; see "Private Label" validation, below. " >>=20 >> Also, the openssl distribution has to match the right PGP keys. >>=20 >> So to those who are more of Openssl/FIPS experts than I, I have some >> basic questions: >>=20 >> 1) I assume if it impossible to make a FIPS capable openssl >> distribution straight out of the FreeBSD source tree without "Private >> Validation" as defined in the document above? (i.e. you can certainly >> build it this way but you are violating the guidelines for FIPS >> Compliance or do the maintainers out of src/crypto/openssl ENSURE = that >> the distro in that tree is equivalent to the openssl distro, even for >> PGP key checks?) [...] > I guess to put things more simply: >=20 > Is the distribution integrated within the FreeBSD source tree been > validated against its PGP keys so it can be built FIPS capable? For all the imports I did of OpenSSL to the FreeBSD base system (which = means any OpenSSL import since FreeBSD 7.0), the PGP key for the source = tar was verified. That said, in the FreeBSD base system totally replace = the OpenSSL build system and 'manually' apply fixes for the OpenSSL = security issues we certainly don't build OpenSSL unmodified. I never had a reason to look at OpenSSL FIPS, so I don't really know if = it's possible to get it working on FreeBSD, but it's possible you can = manually build and install stock OpenSSL by hand. --=20 Simon L. B. Nielsen Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer From owner-freebsd-security@FreeBSD.ORG Sun Mar 6 22:38:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F3AA106564A for ; Sun, 6 Mar 2011 22:38:23 +0000 (UTC) (envelope-from jw011235@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 0E59B8FC0A for ; Sun, 6 Mar 2011 22:38:22 +0000 (UTC) Received: by iyj12 with SMTP id 12so4033314iyj.13 for ; Sun, 06 Mar 2011 14:38:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; bh=snj1wZEqiIWCXxq84jjXjPxAJafDz8W49vWQB8SMx8A=; b=TJatiInisECGtBdwTLCw02tuG8cnDx1pprgtMsxSveIi4E01M+UkGR35HEQDIjwPtH Nuqlwi5rGKZedfzTGJzwWjLvfBiAeEGnglPe3rfJeeXYitWVq1k9Tn/Yy8wBLnLzwvap duH6ke/PwjqAxQYPriGEVvdeEByXI70Kw8qZw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=rdzijpT2smsik6xzMW3bX5RM4Eoo7Ph0tY0z7PzZUSqRqDTA2sWfPrpfuT9nHDvhx5 juzsuXlZ0I+BXZoCbtI2vIDk5EMnepN0TGwco0Rtd0uqKepsoOAde0cYObD7xwTwKge+ SLKYnoPXzL8tEFvSCXP7QUYMEdwXyEft+4Vis= Received: by 10.43.60.206 with SMTP id wt14mr3843230icb.399.1299449765186; Sun, 06 Mar 2011 14:16:05 -0800 (PST) Received: from [192.168.12.102] ([65.183.165.31]) by mx.google.com with ESMTPS id i2sm1906235icv.3.2011.03.06.14.16.03 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 06 Mar 2011 14:16:04 -0800 (PST) Message-Id: <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com> From: jw011235 To: Simon L. B. Nielsen In-Reply-To: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Sun, 6 Mar 2011 17:16:00 -0500 References: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> X-Mailer: Apple Mail (2.936) Cc: Alexander Sack , freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Mar 2011 22:38:23 -0000 On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote: > > On 3 Mar 2011, at 18:23, Alexander Sack wrote: > >> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack >> wrote: >>> Hello: >>> >>> I am a bit confused! I am reading the FIPS user guide and the >>> following document: >>> >>> http://www.openssl.org/docs/fips/fipsnotes.html >>> >>> I quote >>> >>> "If even the tiniest source code or build process changes are >>> required >>> for your intended application, you cannot use the open source based >>> validated module directly. You must obtain your own validation. This >>> situation is common; see "Private Label" validation, below. " >>> >>> Also, the openssl distribution has to match the right PGP keys. >>> >>> So to those who are more of Openssl/FIPS experts than I, I have some >>> basic questions: >>> >>> 1) I assume if it impossible to make a FIPS capable openssl >>> distribution straight out of the FreeBSD source tree without >>> "Private >>> Validation" as defined in the document above? (i.e. you can >>> certainly >>> build it this way but you are violating the guidelines for FIPS >>> Compliance or do the maintainers out of src/crypto/openssl ENSURE >>> that >>> the distro in that tree is equivalent to the openssl distro, even >>> for >>> PGP key checks?) > [...] >> I guess to put things more simply: >> >> Is the distribution integrated within the FreeBSD source tree been >> validated against its PGP keys so it can be built FIPS capable? > > For all the imports I did of OpenSSL to the FreeBSD base system > (which means any OpenSSL import since FreeBSD 7.0), the PGP key for > the source tar was verified. That said, in the FreeBSD base system > totally replace the OpenSSL build system and 'manually' apply fixes > for the OpenSSL security issues we certainly don't build OpenSSL > unmodified. > > I never had a reason to look at OpenSSL FIPS, so I don't really know > if it's possible to get it working on FreeBSD, but it's possible you > can manually build and install stock OpenSSL by hand. > > -- > Simon L. B. Nielsen > Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " I've been running OpenSSL FIPS for several years now on FreeBSD so it's certainly possible. It's not terribly hard to compile but I wouldn't do it through the ports. Download the source ( I used the 0.9 source ) and FIPS instructions and compile by hand. Certifying your installation through NIST is an entirely different matter. My company elected to put off the process until we had a contract to justify the expense and time involved. You'll have to dig for it, but the NIST website has details on the process. Best of luck, Jason Williams From owner-freebsd-security@FreeBSD.ORG Mon Mar 7 00:20:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A79D106566B for ; Mon, 7 Mar 2011 00:20:33 +0000 (UTC) (envelope-from pisymbol@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id EF25F8FC18 for ; Mon, 7 Mar 2011 00:20:32 +0000 (UTC) Received: by qwj8 with SMTP id 8so3099134qwj.13 for ; Sun, 06 Mar 2011 16:20:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=m2R2x82fcNISnxPYhopo9BrHMMWu6KqhMjTQZZuJpBE=; b=a22SCr4lTEjE3hsUOEPbGDT1i6OxYCK2bYiUpj4qAF7UlQUhYEoI5esCS9Id2ZXLn7 +I9qpmt5Sm/PpyX053IwgjVwWFTQ9nzaDg58cugZdmPD1WBQmiyxYRGjiF2KU6edd4lT ICcNxXpECUE2B+o38UdJBx84WN2pK0x46VMsw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Dz8fE/OY1MD/NV6Fp2fYY8XVbQz+5NVdBtcH+8rICUl2NOr4FtJYfnIBM50/oVbHiL /lsdrX0eKIP/n6ezy+97Iy+OmE0FXqUIon2KGsECH0wcnYHxPTuXyG7ALnxU2ir3+Yem /mMG2CLp8ZH14KNwjk25/zT9L1+hv1qAWe67A= MIME-Version: 1.0 Received: by 10.229.1.209 with SMTP id 17mr2446504qcg.92.1299457232124; Sun, 06 Mar 2011 16:20:32 -0800 (PST) Received: by 10.229.221.131 with HTTP; Sun, 6 Mar 2011 16:20:32 -0800 (PST) In-Reply-To: <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com> References: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com> Date: Sun, 6 Mar 2011 19:20:32 -0500 Message-ID: From: Alexander Sack To: jw011235 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "Simon L. B. Nielsen" , freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2011 00:20:33 -0000 On Sun, Mar 6, 2011 at 5:16 PM, jw011235 wrote: > > On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote: > >> >> On 3 Mar 2011, at 18:23, Alexander Sack wrote: >> >>> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack >>> wrote: >>>> >>>> Hello: >>>> >>>> I am a bit confused! =A0I am reading the FIPS user guide and the >>>> following document: >>>> >>>> http://www.openssl.org/docs/fips/fipsnotes.html >>>> >>>> I quote >>>> >>>> "If even the tiniest source code or build process changes are required >>>> for your intended application, you cannot use the open source based >>>> validated module directly. You must obtain your own validation. This >>>> situation is common; see "Private Label" validation, below. " >>>> >>>> Also, the openssl distribution has to match the right PGP keys. >>>> >>>> So to those who are more of Openssl/FIPS experts than I, I have some >>>> basic questions: >>>> >>>> 1) =A0I assume if it impossible to make a FIPS capable openssl >>>> distribution straight out of the FreeBSD source tree without "Private >>>> Validation" as defined in the document above? (i.e. you can certainly >>>> build it this way but you are violating the guidelines for FIPS >>>> Compliance or do the maintainers out of src/crypto/openssl ENSURE that >>>> the distro in that tree is equivalent to the openssl distro, even for >>>> PGP key checks?) >> >> [...] >>> >>> I guess to put things more simply: >>> >>> Is the distribution integrated within the FreeBSD source tree been >>> validated against its PGP keys so it can be built FIPS capable? >> >> For all the imports I did of OpenSSL to the FreeBSD base system (which >> means any OpenSSL import since FreeBSD 7.0), the PGP key for the source = tar >> was verified. That said, in the FreeBSD base system totally replace the >> OpenSSL build system and 'manually' apply fixes for the OpenSSL security >> issues we certainly don't build OpenSSL unmodified. >> >> I never had a reason to look at OpenSSL FIPS, so I don't really know if >> it's possible to get it working on FreeBSD, but it's possible you can >> manually build and install stock OpenSSL by hand. >> >> -- >> Simon L. B. Nielsen >> Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > > I've been running OpenSSL FIPS for several years now on FreeBSD so it's > certainly possible. It's not terribly hard to compile but I wouldn't do i= t > through the ports. Download the source ( I used the 0.9 source ) and FIPS > instructions and compile by hand. > > Certifying your installation through NIST is an entirely different matter= . > My company elected to put off the process until we had a contract to just= ify > the expense and time involved. You'll have to dig for it, but the NIST > website has details on the process. Wait, is NIST cert required to be FIPS capable? I don't think so. -aps From owner-freebsd-security@FreeBSD.ORG Mon Mar 7 03:49:04 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 43B64106566C for ; Mon, 7 Mar 2011 03:49:04 +0000 (UTC) (envelope-from jw011235@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 015B18FC08 for ; Mon, 7 Mar 2011 03:49:03 +0000 (UTC) Received: by iyj12 with SMTP id 12so4195958iyj.13 for ; Sun, 06 Mar 2011 19:49:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; bh=fyPRJBp8HbxHVTkrSBBB9wwdZzxbYgUbgj0SFzFYH0o=; b=w7Foz5Th8VSHXUriB0HQZWEJ81cPq+XHLKLPso/jquCcXJyPdCBgIKatVqyYElPDWZ yERPddTBsloFNZeMayEDvicNaW+oON61Zv3snRtgDblpJZUykGiQ1eocB0k6FaO/APDd OGkrzF5uyd8tT8uobGw4E/DCDg9qWHxXC8tOQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=j0QUxXrUjkc9KBMGLppoPAhkWAfpMnaE1Zx3d/wd+y/SDt60byJID9sHanOKFwCjB3 HHWcz/qz9fJlUQxA22Nnu1nHL4QPw3AqfVvnogDnaKJxR6BSNqvZn6AmzglHkS4HGgAV Hp4ATeHAjzqaNTuTUZx36AuNANpwZX6ptb4w4= Received: by 10.43.70.205 with SMTP id yh13mr4072694icb.397.1299469743359; Sun, 06 Mar 2011 19:49:03 -0800 (PST) Received: from [192.168.12.102] ([65.183.165.31]) by mx.google.com with ESMTPS id wt14sm2103371icb.4.2011.03.06.19.49.01 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 06 Mar 2011 19:49:02 -0800 (PST) Message-Id: <9D6E197A-2C1A-49B0-A54D-5EA02C79BEA4@gmail.com> From: jw011235 To: Alexander Sack In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Sun, 6 Mar 2011 22:48:58 -0500 References: <569CE2FF-151D-45F8-8B73-814D5CA0E47F@nitro.dk> <8F26F104-E000-4D4B-833A-C17E454098C5@gmail.com> X-Mailer: Apple Mail (2.936) Cc: "Simon L. B. Nielsen" , freebsd-security@freebsd.org Subject: Re: FIPS compliant openssl possible within the FreeBSD build systems? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Mar 2011 03:49:04 -0000 On Mar 6, 2011, at 7:20 PM, Alexander Sack wrote: > On Sun, Mar 6, 2011 at 5:16 PM, jw011235 wrote: >> >> On Mar 6, 2011, at 4:22 PM, Simon L. B. Nielsen wrote: >> >>> >>> On 3 Mar 2011, at 18:23, Alexander Sack wrote: >>> >>>> On Mon, Feb 28, 2011 at 7:33 PM, Alexander Sack >>>> >>>> wrote: >>>>> >>>>> Hello: >>>>> >>>>> I am a bit confused! I am reading the FIPS user guide and the >>>>> following document: >>>>> >>>>> http://www.openssl.org/docs/fips/fipsnotes.html >>>>> >>>>> I quote >>>>> >>>>> "If even the tiniest source code or build process changes are >>>>> required >>>>> for your intended application, you cannot use the open source >>>>> based >>>>> validated module directly. You must obtain your own validation. >>>>> This >>>>> situation is common; see "Private Label" validation, below. " >>>>> >>>>> Also, the openssl distribution has to match the right PGP keys. >>>>> >>>>> So to those who are more of Openssl/FIPS experts than I, I have >>>>> some >>>>> basic questions: >>>>> >>>>> 1) I assume if it impossible to make a FIPS capable openssl >>>>> distribution straight out of the FreeBSD source tree without >>>>> "Private >>>>> Validation" as defined in the document above? (i.e. you can >>>>> certainly >>>>> build it this way but you are violating the guidelines for FIPS >>>>> Compliance or do the maintainers out of src/crypto/openssl >>>>> ENSURE that >>>>> the distro in that tree is equivalent to the openssl distro, >>>>> even for >>>>> PGP key checks?) >>> >>> [...] >>>> >>>> I guess to put things more simply: >>>> >>>> Is the distribution integrated within the FreeBSD source tree been >>>> validated against its PGP keys so it can be built FIPS capable? >>> >>> For all the imports I did of OpenSSL to the FreeBSD base system >>> (which >>> means any OpenSSL import since FreeBSD 7.0), the PGP key for the >>> source tar >>> was verified. That said, in the FreeBSD base system totally >>> replace the >>> OpenSSL build system and 'manually' apply fixes for the OpenSSL >>> security >>> issues we certainly don't build OpenSSL unmodified. >>> >>> I never had a reason to look at OpenSSL FIPS, so I don't really >>> know if >>> it's possible to get it working on FreeBSD, but it's possible you >>> can >>> manually build and install stock OpenSSL by hand. >>> >>> -- >>> Simon L. B. Nielsen >>> Hats: Ex-OpenSSL maintainer, FreeBSD Deputy Security Officer >>> >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >> >> >> I've been running OpenSSL FIPS for several years now on FreeBSD so >> it's >> certainly possible. It's not terribly hard to compile but I >> wouldn't do it >> through the ports. Download the source ( I used the 0.9 source ) >> and FIPS >> instructions and compile by hand. >> >> Certifying your installation through NIST is an entirely different >> matter. >> My company elected to put off the process until we had a contract >> to justify >> the expense and time involved. You'll have to dig for it, but the >> NIST >> website has details on the process. > > Wait, is NIST cert required to be FIPS capable? I don't think so. > > -aps Using the OpenSSL FIPS code is not enough to claim your products or services built upon it are FIPS 140-2 certified. You have to go through the certification process with NIST since they are responsible for the specification. There's a disclaimer with the OpenSSL FIPS instructions and source which basically states as much. I suppose you could claim that you are FIPS 140-2 compliant but I'm not a legal expert and don't know what you may or may not claim in terms of FIPS compliance or "capability". If you're working with the U.S Government or subcontracting to someone who is, you will eventually need the certification to seal the deal for full funding (or at least be going through the certification process), otherwise, how would they know you meet the specification? (three letter agencies tend to be sticklers for wanting proof of that sort of thing :P) If you're not doing business with Uncle Sam then no problem, but then why bother with FIPS 140-2? It's basically a pain. YMMV, but that's your business. Regards, Jason Williams From owner-freebsd-security@FreeBSD.ORG Wed Mar 9 14:52:14 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0F6B106564A for ; Wed, 9 Mar 2011 14:52:14 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id A30248FC14 for ; Wed, 9 Mar 2011 14:52:14 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 0B4E5594007 for ; Wed, 9 Mar 2011 06:52:05 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA for ; Wed, 9 Mar 2011 06:52:04 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p29Eppm5017394 for ; Wed, 9 Mar 2011 14:51:51 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p29EpoNZ017393 for freebsd-security@freebsd.org; Wed, 9 Mar 2011 14:51:50 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Wed, 09 Mar 2011 14:51:50 +0000 Message-ID: <1299682310.17149.24.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 3341.4d779414.65aed.0 Subject: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2011 14:52:15 -0000 Hi, This is about pam_opieaccess. Because there's no project page for OPIE outside FreeBSD and because I found other complaints on pam_opieaccess on this list (http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0118.html)= , I'm posting this here, I hope it's OK. For a few years now, I have used this policy for SSH logins, and home and at work: - users can login with passwords if they are on a trusted (read: local) network - users can always login with public key authentication from anywhere - users can only login from outside trusted networks if they use either public key authentication or OPIE. This is almost easy. Each user enables OPIE, and an /etc/opieaccess file allows password logins from trusted networks, with something like: permit 10.0.0.0 255.0.0.0 However, one thing about pam_opieaccess makes having this policy troublesome. pam_opieaccess(5) says that it returns PAM_SUCCESS in two cases: 1. The user does not have OPIE enabled. 2. The user has OPIE enabled and the remote host is listed as a trusted host in /etc/opieaccess, and the user does not have a file named .opiealways in his home directory. Now, things work according to the SPEC, that's good, but point 1 above is troublesome for my policy. Users is an open set: every now and then a new one is created. Because every user must be explicitely mentioned in /etc/opiekeys, it's error prone for my policy. If I create a user and forget to add him to /etc/opiekeys I have a breach in my policy. If additionally he chooses a weak or a strong but compromised password, I have a security breach. I think the way pam_opieaccess behaves is like "leave a security breach by default". I think it would be more usefull if it returned PAM_SUCCESS when: 1. The user does not have OPIE enabled and the remote host is listed as a trusted host in /etc/opieaccess. 2. The user has OPIE enabled and the remote host is listed as a trusted host in /etc/opieaccess, and the user does not have a file named .opiealways in his home directory. Or at least this should be an option for pam_opieaccess. I understand opieaccess is a transition mechanism (transition to a time where everyone uses OPIE, yeah right), and it is meant so that users who can't use OPIE don't stop those that can from using it. However, I think a greater incentive for using OPIE (with my policy) is "do you want to connect from the Internet like I do? You must use OPIE for that." Now, I'm a programmer, not so much an admin. I'm perfectly capable of making a new pam_opieaccess module that does what I said or a simpler module which just returns PAM_SUCCESS for trusted networks (that's all that matters to my policy). The point is, wouldn't the other behaviour be better for pam_opieaccess? Also, why don't people bump on this more often? Is my policy inadvisable? --=20 Miguel Ramos PGP A006A14C From owner-freebsd-security@FreeBSD.ORG Thu Mar 10 07:23:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79292106566C for ; Thu, 10 Mar 2011 07:23:51 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 37AEF8FC12 for ; Thu, 10 Mar 2011 07:23:50 +0000 (UTC) Received: by iyj12 with SMTP id 12so1522968iyj.13 for ; Wed, 09 Mar 2011 23:23:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:in-reply-to :message-id:references:user-agent:x-openpgp-key-id :x-openpgp-key-fingerprint:mime-version:content-type; bh=H6huG6bUiuHtP8ByvnOvgHMeaq+LBBWhW4LMBus490k=; b=CoGUq59M+IU+za03a9eDtA5udao9NnTURiR2gcEkoytngqIbrzNvTmVUssRfklVFL6 +hlxbugFZ5ncGQBfaolQ+yfBR3nAe068bfUfMj0OcHPBZFjPU3PaQrV3fNR1quFgPi5r 9PkEV+hLVPjt3peW2uhmVj9scVTlhi+mb6xE0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=hB6wAUzeOhCCdGOVMwEIolI3YfDecCyVy3ELLStdUTx4zA2i8nVlBOKdE7jFz5T4Cm ZdUYUAhEljzCC4l5NaTlzTk3GyoRvxpZzj940ijqQ8DxX+bdJWSSiyttzQy9VrbHVAEn ooJb6jBSmJhbli3Xb2ernL4+aW8iBHPlzA6m0= Received: by 10.42.145.193 with SMTP id g1mr9639865icv.278.1299741830435; Wed, 09 Mar 2011 23:23:50 -0800 (PST) Received: from disbatch.dataix.local (adsl-99-19-43-28.dsl.klmzmi.sbcglobal.net [99.19.43.28]) by mx.google.com with ESMTPS id wt14sm2013033icb.4.2011.03.09.23.23.47 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 09 Mar 2011 23:23:47 -0800 (PST) Sender: "J. Hellenthal" Date: Thu, 10 Mar 2011 02:23:29 -0500 From: "J. Hellenthal" To: Miguel Lopes Santos Ramos In-Reply-To: <1299682310.17149.24.camel@w500.local> Message-ID: References: <1299682310.17149.24.camel@w500.local> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Security Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 07:23:51 -0000 On Wed, 9 Mar 2011 09:51, mbox@ wrote: > > I think the way pam_opieaccess behaves is like "leave a security breach > by default". I think it would be more usefull if it returned PAM_SUCCESS > when: > > 1. The user does not have OPIE enabled and the remote host is listed as > a trusted host in /etc/opieaccess. > 2. The user has OPIE enabled and the remote host is listed as a trusted > host in /etc/opieaccess, and the user does not have a file > named .opiealways in his home directory. > > Or at least this should be an option for pam_opieaccess. > Does changing the following in /etc/pam.d/sshd help ? # auth (edited for length) -auth sufficient pam_opie.so no_warn no_fake_prompts +auth binding pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local There might be some other combinations that would change this behavior for you but you will have to consult with pam.conf(5) as this is a pretty big beast to sum up here. Tweaking PAM in some situations could lead you to undesired results. Putting something into place of a script that runs out of /etc/profile or /etc/shrc or whatever that greps the contents of /etc/opiekeys and prompts the user to run the correct commands or runs them the first time might just be a better long-term solution to enforcing they use OPIE. /etc/profile grep "^${LOGNAME} " /etc/opiekeys ||/usr/bin/opiepasswd -c ... Anyway I'm sure some other shell-masters@ will chime in at some point and possibly share what they have done in the past/present/future and offer up some real good insight on this. VPN access to the box(s) could be another solution where everyone is local and you don't need OPIE at all. \o/ -- Regards, J. Hellenthal (0x89D8547E) JJH48-ARIN From owner-freebsd-security@FreeBSD.ORG Thu Mar 10 15:01:21 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF2D2106564A for ; Thu, 10 Mar 2011 15:01:21 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id C40E08FC12 for ; Thu, 10 Mar 2011 15:01:21 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 8719459400E; Thu, 10 Mar 2011 07:01:08 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Thu, 10 Mar 2011 07:01:07 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2AF0sxm020477; Thu, 10 Mar 2011 15:00:54 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2AF0rQF020476; Thu, 10 Mar 2011 15:00:53 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: "J. Hellenthal" In-Reply-To: References: <1299682310.17149.24.camel@w500.local> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Thu, 10 Mar 2011 15:00:53 +0000 Message-ID: <1299769253.20266.23.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 2540.4d78e7b3.c4ac7.0 Cc: FreeBSD Security Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 15:01:22 -0000 Qui, 2011-03-10 =C3=A0s 02:23 -0500, J. Hellenthal escreveu: > On Wed, 9 Mar 2011 09:51, mbox@ wrote: > > > > I think the way pam_opieaccess behaves is like "leave a security breach > > by default". I think it would be more usefull if it returned PAM_SUCCES= S > > when: > > > > 1. The user does not have OPIE enabled and the remote host is listed as > > a trusted host in /etc/opieaccess. > > 2. The user has OPIE enabled and the remote host is listed as a trusted > > host in /etc/opieaccess, and the user does not have a file > > named .opiealways in his home directory. > > > > Or at least this should be an option for pam_opieaccess. > > >=20 > Does changing the following in /etc/pam.d/sshd help ? > # auth (edited for length) > -auth sufficient pam_opie.so no_warn no_fake_prompts > +auth binding pam_opie.so no_warn no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local >=20 Thanks, but no. That's not exactly what I want. That would force people to use OPIE. I only want to enforce OPIE for non-local network access. It's not realistic to enforce OPIE around here, have everybody have an otp-md5 calculator around, etc. For me, OPIE is just for an emergency scenario, when someone is out and doesn't have an SSH key pair (particularly, me). > There might be some other combinations that would change this behavior fo= r=20 > you but you will have to consult with pam.conf(5) as this is a pretty big= =20 > beast to sum up here. I don't think tweaking PAM would suffice. I would need a module which would be very similar in behaviour to pam_opieaccess, but with those changed semantics. Again, I can pick the code of pam_opieaccess and do the changes I said (it's right here in /usr/src/lib/libpam/modules/pam_opieaccess and is 40-50 lines of code). My point is, wouldn't those semantics be better for most people besides me? > Tweaking PAM in some situations could lead you to undesired results.=20 > Putting something into place of a script that runs out of /etc/profile or= =20 > /etc/shrc or whatever that greps the contents of /etc/opiekeys and prompt= s=20 > the user to run the correct commands or runs them the first time might= =20 > just be a better long-term solution to enforcing they use OPIE. >=20 > /etc/profile > grep "^${LOGNAME} " /etc/opiekeys ||/usr/bin/opiepasswd -c Yes, or /usr/bin/opiepasswd -d. In general, this is a problem of keeping two files in sync, /etc/master.passwd and /etc/opiekeys... it will never work. If I did as you say, I would still have a problem if someone would never get to login (people have accounts also because they own files, and account locking stops people who just use SSH as a cheap VPN). I could have some script run when a user is created, however, the hole would always be there, waiting to be exploited, so I wouldn't exploit that much further. > Anyway I'm sure some other shell-masters@ will chime in at some point and= =20 > possibly share what they have done in the past/present/future and offer u= p=20 > some real good insight on this. >=20 > VPN access to the box(s) could be another solution where everyone is loca= l=20 > and you don't need OPIE at all. \o/ Yes, that's right. That would solve a whole lot of other problems too. It's true that I'm using SSH in many cases just as an easy to administer VPN. I've been postponing that for years. But I would need something that worked with FreeBSD and Gentoo (don't want to learn two tools) and for any client. Still, even if I have a solution elsewhere, theoretically my question still stands. Wouldn't those changed semantics help people having a system which is more secure by default? The point is: /etc/opieaccess / pam_opieaccess is meant to allow people not to use OPIE on a trusted network. However, it does not enforce the use of OPIE from a non-trusted network. It's kind of paradoxical, but that's what it does. --=20 Miguel Ramos PGP A006A14C From owner-freebsd-security@FreeBSD.ORG Thu Mar 10 18:20:26 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02F11106566B for ; Thu, 10 Mar 2011 18:20:26 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailgate.jr-hosting.nl (mailgate.jr-hosting.nl [IPv6:2a01:4f8:63:1281::3]) by mx1.freebsd.org (Postfix) with ESMTP id 914A88FC0C for ; Thu, 10 Mar 2011 18:20:25 +0000 (UTC) Received: from [IPv6:2001:980:4a50:1:21e:c2ff:febc:d902] (unknown [IPv6:2001:980:4a50:1:21e:c2ff:febc:d902]) by mailgate.jr-hosting.nl (Postfix) with ESMTPSA id C6E751CC28; Thu, 10 Mar 2011 19:20:23 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1082) Content-Type: text/plain; charset=us-ascii From: Remko Lodder In-Reply-To: <1299769253.20266.23.camel@w500.local> Date: Thu, 10 Mar 2011 19:20:23 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> To: Miguel Lopes Santos Ramos X-Mailer: Apple Mail (2.1082) Cc: "J. Hellenthal" , FreeBSD Security Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 18:20:26 -0000 >>=20 >=20 > Yes, that's right. That would solve a whole lot of other problems too. > It's true that I'm using SSH in many cases just as an easy to = administer > VPN. I've been postponing that for years. But I would need something > that worked with FreeBSD and Gentoo (don't want to learn two tools) = and > for any client. so with the pfsense project we have this thing integrated that is called = OpenVPN. Hell, I use it between multiple FreeBSD boxes to create a 'secure' = (quotes because it's as secure as possible in this world :)) network between them. I = pushed it to my parents who are (sigh) using Windows, I use it from my Mac (Viscosity) = and hell it even works on Linux/Gentoo.. And it's all.. free :-) Cheers Remko --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | X http://www.evilcoder.org/ | Quis custodiet ipsos custodes / \ ASCII Ribbon Campaign | Against HTML Mail and News From owner-freebsd-security@FreeBSD.ORG Thu Mar 10 19:13:12 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B458106566C for ; Thu, 10 Mar 2011 19:13:12 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 608D58FC1A for ; Thu, 10 Mar 2011 19:13:12 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id F29F859400E; Thu, 10 Mar 2011 11:12:59 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Thu, 10 Mar 2011 11:12:59 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2AJCiu5019031; Thu, 10 Mar 2011 19:12:44 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2AJCfYD019023; Thu, 10 Mar 2011 19:12:41 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Remko Lodder In-Reply-To: <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Thu, 10 Mar 2011 19:12:41 +0000 Message-ID: <1299784361.18199.4.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 7367.4d7922bb.ed50.0 Cc: "J. Hellenthal" , FreeBSD Security Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 19:13:12 -0000 Qui, 2011-03-10 =C3=A0s 19:20 +0100, Remko Lodder escreveu: > > Yes, that's right. That would solve a whole lot of other problems too. > > It's true that I'm using SSH in many cases just as an easy to administe= r > > VPN. I've been postponing that for years. But I would need something > > that worked with FreeBSD and Gentoo (don't want to learn two tools) and > > for any client. >=20 >=20 >=20 > so with the pfsense project we have this thing integrated that is called = OpenVPN. > Hell, I use it between multiple FreeBSD boxes to create a 'secure' (quote= s because > it's as secure as possible in this world :)) network between them. I push= ed it to my > parents who are (sigh) using Windows, I use it from my Mac (Viscosity) an= d hell > it even works on Linux/Gentoo.. >=20 > And it's all.. free :-) >=20 > Cheers > Remko Thanks. I'll probably be looking into that sooner or latter. However, OPIE, nobody cares about OPIE? --=20 Miguel Ramos PGP A006A14C From owner-freebsd-security@FreeBSD.ORG Thu Mar 10 20:55:57 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 89E18106564A for ; Thu, 10 Mar 2011 20:55:57 +0000 (UTC) (envelope-from simias.n@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 13EDE8FC0A for ; Thu, 10 Mar 2011 20:55:56 +0000 (UTC) Received: by wyf23 with SMTP id 23so2238432wyf.13 for ; Thu, 10 Mar 2011 12:55:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:date:from:to:subject:message-id :mail-followup-to:references:mime-version:content-type :content-disposition:in-reply-to:user-agent; bh=SCLFos3Fwz/neYbgdY2kDOYJTNTq+2sN2XjK33kG6Ns=; b=Wr15ue6tOqtM97kGgkBdlopEowhsqpd7yzE+Pj/Z4SUZy5R5hZ+wA4MjbdFAtiWfO5 yTf2VPVLTe0IgkVanVXBINTUZ/xj1YR3w5HnG76uoj+dlOAnUrZoTo8hCdZFAbrLVo/C 07bxm1Te5YN87WEh7sZJ5H+9+50RBnOWwuGls= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; b=px2TmCiz27VJnsJa1Iy7Z7qxtTDh3asdQuuZV/rJnySHSQbv5G5+wI45KG60Az54jb k218+1tbBhoDSrYNrfQttLvPpunmo8M/aZWKaTdvCjjubB+BIiS1hqGUlH25QwmlkBxp xJXIVE2wJ6BIo8Wzk5+scaSoJ+df8G1uY6//E= Received: by 10.216.145.134 with SMTP id p6mr6396731wej.112.1299788817913; Thu, 10 Mar 2011 12:26:57 -0800 (PST) Received: from localhost (home.svkt.org [82.243.51.8]) by mx.google.com with ESMTPS id s50sm1772767weh.46.2011.03.10.12.26.54 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 10 Mar 2011 12:26:56 -0800 (PST) Date: Thu, 10 Mar 2011 20:26:53 +0000 From: Lionel Flandrin To: freebsd-security@freebsd.org Message-ID: <20110310202653.GG9421@shame.svkt.org> Mail-Followup-To: freebsd-security@freebsd.org References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="MPkR1dXiUZqK+927" Content-Disposition: inline In-Reply-To: <1299784361.18199.4.camel@w500.local> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 20:55:57 -0000 --MPkR1dXiUZqK+927 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 10, 2011 at 07:12:41PM +0000, Miguel Lopes Santos Ramos wrote: >=20 > Qui, 2011-03-10 =E0s 19:20 +0100, Remko Lodder escreveu: > > > Yes, that's right. That would solve a whole lot of other problems too. > > > It's true that I'm using SSH in many cases just as an easy to adminis= ter > > > VPN. I've been postponing that for years. But I would need something > > > that worked with FreeBSD and Gentoo (don't want to learn two tools) a= nd > > > for any client. > >=20 > >=20 > >=20 > > so with the pfsense project we have this thing integrated that is calle= d OpenVPN. > > Hell, I use it between multiple FreeBSD boxes to create a 'secure' (quo= tes because > > it's as secure as possible in this world :)) network between them. I pu= shed it to my > > parents who are (sigh) using Windows, I use it from my Mac (Viscosity) = and hell > > it even works on Linux/Gentoo.. > >=20 > > And it's all.. free :-) > >=20 > > Cheers > > Remko >=20 > Thanks. I'll probably be looking into that sooner or latter. >=20 > However, OPIE, nobody cares about OPIE? Hi, I do care about OPIE, but it has many shortcomings arguably more critical than the one you're pointing out. What bothers me most is the absence of a prefix password and the possibility that someone may highjack my session if he's replaying my input and sends the \n before I do. See the wikipedia page about OTPW[1] for a more detailed explanation about that. OTPW is an alternative to OPIE that aims at correcting these issues. I'd try to install and configure OTPW on my server to replace OPIE, but it's not in the ports and I don't know PAM well enough to try and mess with it, I would probably end up opening more security holes than I'm fixing. Since these days many of us use cell phones where it's easy to write and distribute challenge/response generators I don't understand why there seems to be so little interest in developing and improving one time passwords solutions (including for websites, I wonder how many facebook/twitter/whatever accounts I could steal by putting keyloggers in an internet cafe). I would gladly look into it myself but the subject is so security critical that I'm a little put off. If one of you knows of a project working on improving or replacing OPIE, I would gladly look into it and try to contribute if I can. Maybe this project _is_ OTPW? Why isn't it in the ports yet when the Wikipedia article claims it supports FreeBSD? Has anyone here tried it? As for OpenVPN, it is a really good piece of software and you should have a look at it, but I can imagine scenarios where a one time password would be better suited than a complete VPN setup (For instance I use OPIE and shellinabox[2] over HTTPS to connect to my server from anywhere I can find a web browser, no need to install any additional software). [1] https://secure.wikimedia.org/wikipedia/en/wiki/OTPW [2] https://code.google.com/p/shellinabox/ Cheers, --=20 Lionel Flandrin --MPkR1dXiUZqK+927 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEAREKAAYFAk15NA0ACgkQlfFEoIrYgB0hvQCeJLYHQvOEBFGcD84GYU+gDtTc goYAn1z92dQw78VSvRfAZxWhbm2jR9zm =4L5B -----END PGP SIGNATURE----- --MPkR1dXiUZqK+927-- From owner-freebsd-security@FreeBSD.ORG Thu Mar 10 21:00:05 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE4EF1065670 for ; Thu, 10 Mar 2011 21:00:05 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 7FE458FC18 for ; Thu, 10 Mar 2011 21:00:05 +0000 (UTC) Received: by iwn33 with SMTP id 33so2320505iwn.13 for ; Thu, 10 Mar 2011 13:00:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:in-reply-to :message-id:references:user-agent:x-openpgp-key-id :x-openpgp-key-fingerprint:mime-version:content-type :content-transfer-encoding; bh=1hHhgNtd6SzYOZB6PGH+76Kx7+bzkr8t78BXLX4xX/8=; b=fpf51YZry00d3ebBN1LQu982Z/hS+sVKbuHx48LXsAv2ZpYFZ37eZUjJEnIeQGars4 oljoTbOA5DFzNkJcPb9kshgf4yw2OS1YO4qNbjurxcVswR3c48SOAO4KLB+oYLiIQ/lE KT6Qq6qmchRUYaWgOQixQAPRI3nbC1GNsHi1U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type:content-transfer-encoding; b=dnVSQb7SoZL3z3ZGiv018C30gUaGkMLKBsksOZYSLvxjLZTB9NwUS04qJsvU0Fbmvh GXC5cD6d3nSkVk40+B0sHqTBkRjy4Mjod5avcLHEbKdkOQtTSSLEfm94sOx3lf5lCOQ3 YfCXKUWKA4Enl71iDyEEctatqGGLTGwARtmb0= Received: by 10.42.145.199 with SMTP id g7mr10631150icv.451.1299790804716; Thu, 10 Mar 2011 13:00:04 -0800 (PST) Received: from disbatch.dataix.local (adsl-99-19-43-28.dsl.klmzmi.sbcglobal.net [99.19.43.28]) by mx.google.com with ESMTPS id uf10sm2506403icb.5.2011.03.10.13.00.02 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 10 Mar 2011 13:00:02 -0800 (PST) Sender: "J. Hellenthal" Date: Thu, 10 Mar 2011 16:00:00 -0500 From: "J. Hellenthal" To: Miguel Lopes Santos Ramos In-Reply-To: <1299769253.20266.23.camel@w500.local> Message-ID: References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT Cc: FreeBSD Security Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 21:00:05 -0000 On Thu, 10 Mar 2011 10:00, mbox@ wrote: >> >> /etc/profile >> grep "^${LOGNAME} " /etc/opiekeys ||/usr/bin/opiepasswd -c > > Yes, or /usr/bin/opiepasswd -d. In general, this is a problem of keeping -d would not be correct for the above example as opiepasswd would run if the user was not found. If the user was not found then -d really wouldn't be beneficial. > two files in sync, /etc/master.passwd and /etc/opiekeys... it will never > work. master.passwd and opiekeys don't really have much to do with each other in this case. OPIE is another layer on top of the existing security and setting a different password using opiepasswd would only help to improve upon the security of the system. > If I did as you say, I would still have a problem if someone would never > get to login (people have accounts also because they own files, and > account locking stops people who just use SSH as a cheap VPN). Seems to me that the users here should have their passwords automatically generated for them using a dependable secure length that might take 2.3 billion years for a processor on every square inch of the earths surface to crack. ;) adduser(8) has the possibility to generate random passwords, mail the user the generated password, and then you just have to enforce the /etc/profile rule ;) > > I could have some script run when a user is created, however, the hole > would always be there, waiting to be exploited, so I wouldn't exploit > that much further. The hole here is only the administrator of said system. I'm not pointing at you in particular but rather knowledge of a policy that is required for correct or intended operation and understanding of what OPIE is and how it is meant to operate. > > Still, even if I have a solution elsewhere, theoretically my question > still stands. Wouldn't those changed semantics help people having a > system which is more secure by default? > FreeBSD isn't and probably will never be a secure by default installation, but certainly does have the possibility of doing so with the right amount of knowledge behind it. > > The point is: /etc/opieaccess / pam_opieaccess is meant to allow people > not to use OPIE on a trusted network. > > However, it does not enforce the use of OPIE from a non-trusted network. You are right. Its not meant to enforce non-trusted authentication at all. This is a tripwire not a authentication. It allows to bypass the OPIE mechanism for those that are ``permit'' and to enforce it explicitly for those that are listed as ``deny'' besides that pam_opieaccess is blind and PAM along with OPIE does the rest. > > It's kind of paradoxical, but that's what it does. > I have flicked OPIE on in the past and it never allowed anything in past the first addition of a opiekeys. This is the admins job to figure out whether the policy for the user is to be (user initiated) or (admin enforced). If its admin enforced which seems to be your case then you are now in charge of changing the required bits for that operation to be successful and will probably include some of the things I have already stated either above or in the last message posted. You have a lot of variables in this equation that on FreeBSD can really only be met with a mix of modifications, scripting, programming and other such methods a experienced administrator would use. Good luck on your quest, -- Regards, J. Hellenthal ® (0x89D8547E) JJH48-ARIN From owner-freebsd-security@FreeBSD.ORG Thu Mar 10 23:09:35 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6FFF106566B for ; Thu, 10 Mar 2011 23:09:35 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 985398FC1A for ; Thu, 10 Mar 2011 23:09:35 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id EA986594007; Thu, 10 Mar 2011 15:09:24 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Thu, 10 Mar 2011 15:09:24 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2AN9BIW021591; Thu, 10 Mar 2011 23:09:11 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2AN9AIW021590; Thu, 10 Mar 2011 23:09:10 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Lionel Flandrin In-Reply-To: <20110310202653.GG9421@shame.svkt.org> References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Thu, 10 Mar 2011 23:09:07 +0000 Message-ID: <1299798547.20831.59.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 6492.4d795a24.ab202.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 23:09:35 -0000 Qui, 2011-03-10 =C3=A0s 20:26 +0000, Lionel Flandrin escreveu: > On Thu, Mar 10, 2011 at 07:12:41PM +0000, Miguel Lopes Santos Ramos wrote= : > >=20 > > Thanks. I'll probably be looking into that sooner or latter. > >=20 > > However, OPIE, nobody cares about OPIE? >=20 > Hi, >=20 > I do care about OPIE, Thanks!! > but it has many shortcomings arguably more > critical than the one you're pointing out. What bothers me most is the > absence of a prefix password and the possibility that someone may > highjack my session if he's replaying my input and sends the \n before > I do. See the wikipedia page about OTPW[1] for a more detailed > explanation about that. OTPW is an alternative to OPIE that aims at > correcting these issues. Well, I had never heard of OTPW, thanks for the pointer. But I'm not concerned about those problems you mentioned: - As to the possibility of someone hijacking my session and sending \n before I do, I don't care for that because I only use SSH (the same comment would apply to your solution with https). That problem would be valid for cleartext sessions not encrypted with a session key. If someone can hijack my SSH session... hey, then all is lost in any case, the least I care about then is my password... - About prefix passwords, I just gave a quick read on that wikipedia page, but that seems to me important for the case where you take a list of passwords with you, and I wouldn't do that. And because OTPW is to be used like that, I don't think I would use it. I use OPIE when I have no other solution, I didn't take anything with me. At any moment, I download an OTP calculator and log in. If I'm supposed to carry anything, I'll prefer to carry an SSH key, a lot safer. - The objection on S/KEY on that wiki page, that it's possible to compute all previous passwords, is a bit odd, since past passwords won't be used anymore. - That S/KEY uses small english words actually helps a lot. > I'd try to install and configure OTPW on my server to replace OPIE, > but it's not in the ports and I don't know PAM well enough to try and > mess with it, I would probably end up opening more security holes than > I'm fixing. >=20 > Since these days many of us use cell phones where it's easy to write > and distribute challenge/response generators I don't understand why > there seems to be so little interest in developing and improving one > time passwords solutions (including for websites, I wonder how many > facebook/twitter/whatever accounts I could steal by putting keyloggers > in an internet cafe). One time passwords made the most sense with insecure connections. Over a secure session, such as ssh or https, in principle, a strong password is just as strong. One time passwords add no security if in the end all amounts to a brute force attack. However, to me, in practice, they do add security, because: - One time passwords lead to a larger search space, unless when compared to random passwords. Random passwords however end up having to be written in something that must be carried. - Obviously, it's an additional layer of security that the attacker would have to be aware of (even though this counts as zero). - One time passwords don't get compromised as easily, because you would have to be really foolish to use your passphrase anywhere else or write it down. So, it really is questionable if they are any better in the world of encrypted connections. > I would gladly look into it myself but the subject is so security > critical that I'm a little put off. If one of you knows of a project > working on improving or replacing OPIE, I would gladly look into it > and try to contribute if I can. Maybe this project _is_ OTPW? Why > isn't it in the ports yet when the Wikipedia article claims it > supports FreeBSD? Has anyone here tried it? >=20 > As for OpenVPN, it is a really good piece of software and you should > have a look at it, but I can imagine scenarios where a one time > password would be better suited than a complete VPN setup (For > instance I use OPIE and shellinabox[2] over HTTPS to connect to my > server from anywhere I can find a web browser, no need to install any > additional software). >=20 > [1] https://secure.wikimedia.org/wikipedia/en/wiki/OTPW > [2] https://code.google.com/p/shellinabox/ >=20 > Cheers, Thanks for the pointers. That shellinabox is really cool. However, to me it's a lot easier to setup OpenSSH than it is to setup an https web server. I don't mind having to install PuTTY or FileZilla once a week, I already can navigate Simon Tatham's home page blindfolded. Regards, --=20 Miguel Ramos PGP A006A14C From owner-freebsd-security@FreeBSD.ORG Fri Mar 11 10:03:17 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2C34106564A for ; Fri, 11 Mar 2011 10:03:17 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 623548FC13 for ; Fri, 11 Mar 2011 10:03:17 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 0026A1FFC33; Fri, 11 Mar 2011 09:46:08 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id C315284550; Fri, 11 Mar 2011 10:46:08 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Miguel Lopes Santos Ramos References: <1299682310.17149.24.camel@w500.local> Date: Fri, 11 Mar 2011 10:46:08 +0100 In-Reply-To: <1299682310.17149.24.camel@w500.local> (Miguel Lopes Santos Ramos's message of "Wed, 09 Mar 2011 14:51:50 +0000") Message-ID: <86aah2yopr.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2011 10:03:17 -0000 Miguel Lopes Santos Ramos writes: > 1. The user does not have OPIE enabled and the remote host is listed as > a trusted host in /etc/opieaccess. > 2. The user has OPIE enabled and the remote host is listed as a trusted > host in /etc/opieaccess, and the user does not have a file > named .opiealways in his home directory. > > Or at least this should be an option for pam_opieaccess. Seems like a good idea, at first blush (provided it's optional). Do you have a patch? DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Mar 11 10:03:17 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A5FB9106566B for ; Fri, 11 Mar 2011 10:03:17 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 623C98FC14 for ; Fri, 11 Mar 2011 10:03:17 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id D8A2E1FFC36 for ; Fri, 11 Mar 2011 09:47:26 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id BC4C384550; Fri, 11 Mar 2011 10:47:26 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-security@freebsd.org References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> Date: Fri, 11 Mar 2011 10:47:26 +0100 In-Reply-To: <20110310202653.GG9421@shame.svkt.org> (Lionel Flandrin's message of "Thu, 10 Mar 2011 20:26:53 +0000") Message-ID: <8662rqyonl.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2011 10:03:17 -0000 Lionel Flandrin writes: > I'd try to install and configure OTPW on my server to replace OPIE, > but it's not in the ports and I don't know PAM well enough to try and > mess with it, I would probably end up opening more security holes than > I'm fixing. If it's as good as the ad copy says it is, and the license is OK, I might import it into the base system. Might take some time, though. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Mar 11 10:17:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EE23C106564A for ; Fri, 11 Mar 2011 10:17:55 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id C2FD48FC13 for ; Fri, 11 Mar 2011 10:17:55 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id B040D594008; Fri, 11 Mar 2011 02:17:45 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Fri, 11 Mar 2011 02:17:45 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2BAHWCd024311; Fri, 11 Mar 2011 10:17:32 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2BAHW9s024310; Fri, 11 Mar 2011 10:17:32 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <86aah2yopr.fsf@ds4.des.no> References: <1299682310.17149.24.camel@w500.local> <86aah2yopr.fsf@ds4.des.no> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Fri, 11 Mar 2011 10:17:32 +0000 Message-ID: <1299838652.24241.1.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 7fa9.4d79f6c9.1f5d9.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2011 10:17:56 -0000 Sex, 2011-03-11 =C3=A0s 10:46 +0100, Dag-Erling Sm=C3=B8rgrav escreveu: > Miguel Lopes Santos Ramos writes: > > 1. The user does not have OPIE enabled and the remote host is listed as > > a trusted host in /etc/opieaccess. > > 2. The user has OPIE enabled and the remote host is listed as a trusted > > host in /etc/opieaccess, and the user does not have a file > > named .opiealways in his home directory. > > > > Or at least this should be an option for pam_opieaccess. >=20 > Seems like a good idea, at first blush (provided it's optional). Do you > have a patch? >=20 > DES I will make a scratch. I'll submit it to the list on the weekend. --=20 Miguel Ramos PGP A006A14C From owner-freebsd-security@FreeBSD.ORG Fri Mar 11 17:43:50 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B4ED81065672 for ; Fri, 11 Mar 2011 17:43:50 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by mx1.freebsd.org (Postfix) with SMTP id 7A63E8FC0C for ; Fri, 11 Mar 2011 17:43:50 +0000 (UTC) Received: (qmail 14142 invoked by uid 0); 11 Mar 2011 17:17:10 -0000 Received: from unknown (HELO box543.bluehost.com) (74.220.219.143) by cpoproxy3.bluehost.com with SMTP; 11 Mar 2011 17:17:10 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=apotheon.com; h=Date:From:To:Subject:Message-ID:Mail-Followup-To:References:Mime-Version:Content-Type:Content-Disposition:In-Reply-To:User-Agent:X-Identified-User; b=UwxTDq+rlE/ZEJpvM3apeMJ2PTHb8qZRflpxb5BRl4MoePEoXHRLYtjM4sqQi1PVRrZTeRyM8HlXUz+tGLkMt14nfFKU48wWicH/b0JHJ2Mt0lgeBjkHtwAdYihW3KV3; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kukaburra.hydra) by box543.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from ) id 1Py5xd-0004sq-37 for freebsd-security@freebsd.org; Fri, 11 Mar 2011 10:17:10 -0700 Received: by kukaburra.hydra (sSMTP sendmail emulation); Fri, 11 Mar 2011 10:05:44 -0700 Date: Fri, 11 Mar 2011 10:05:44 -0700 From: Chad Perrin To: freebsd-security@freebsd.org Message-ID: <20110311170544.GA85386@guilt.hydra> Mail-Followup-To: freebsd-security@freebsd.org References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <8662rqyonl.fsf@ds4.des.no> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-Disposition: inline In-Reply-To: <8662rqyonl.fsf@ds4.des.no> User-Agent: Mutt/1.4.2.3i X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2011 17:43:50 -0000 --ibTvN161/egqYuK8 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 11, 2011 at 10:47:26AM +0100, Dag-Erling Sm=F8rgrav wrote: > Lionel Flandrin writes: > > I'd try to install and configure OTPW on my server to replace OPIE, > > but it's not in the ports and I don't know PAM well enough to try and > > mess with it, I would probably end up opening more security holes than > > I'm fixing. >=20 > If it's as good as the ad copy says it is, and the license is OK, I > might import it into the base system. Might take some time, though. The license for OTPW is not appropriate for importation into the base system of any BSD Unix system. It's GPLed software. If people want it in FreeBSD, it should go into ports. --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk16VmgACgkQ9mn/Pj01uKWWuQCbB34JiG3RnCL9LuY67cklSpEj cPQAoL/5eehtn/huOr9Ik6k7KwEwr3Uw =LUM1 -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- From owner-freebsd-security@FreeBSD.ORG Fri Mar 11 21:16:01 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC9921065672 for ; Fri, 11 Mar 2011 21:16:01 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 9F4DF8FC08 for ; Fri, 11 Mar 2011 21:16:01 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 462DA594010; Fri, 11 Mar 2011 13:15:50 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Fri, 11 Mar 2011 13:15:48 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2BLFZDc031233; Fri, 11 Mar 2011 21:15:35 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2BLFXRk031231; Fri, 11 Mar 2011 21:15:33 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <1299838652.24241.1.camel@w500.local> References: <1299682310.17149.24.camel@w500.local> <86aah2yopr.fsf@ds4.des.no> <1299838652.24241.1.camel@w500.local> Content-Type: multipart/mixed; boundary="=-n11d+Dm0OfqZv4/Rwqg8" Date: Fri, 11 Mar 2011 21:15:33 +0000 Message-ID: <1299878133.29931.14.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID ba0.4d7a9104.d9553.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2011 21:16:01 -0000 --=-n11d+Dm0OfqZv4/Rwqg8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Here's a scratch. I added an option, called "require_trusted", which enforces the trusted network check even for users which do not have OPIE enabled. If this option is not used, behaviour is unchanged. The name "require_trusted" is catchy and compeling to use. However, if it was used in default configuration files, login would be impossible (unless there was a default opieaccess file which permitted everything, but that is bit forcing OPIE stuff on people and it's not worth it).=20 Here's three of the scratches I made, - I first tried to change as few lines as reasonable, that's pam_opieaccess_mindiff.c, but that made the code look less regular: instead of two ifs leading to return PAM_SUCCESS, now there was a third returning failure, so, - as an attempt to avoid that, I used a nested if, pam_opieaccess_nestedif.c, - then I tried to factor things out, and the best way seemed to be negating everything. I still scratched a bit more, but it started looking like much ado about nothing. Sex, 2011-03-11 =C3=A0s 10:17 +0000, Miguel Lopes Santos Ramos escreveu: > Sex, 2011-03-11 =C3=A0s 10:46 +0100, Dag-Erling Sm=C3=B8rgrav escreveu: > > Miguel Lopes Santos Ramos writes: > > > 1. The user does not have OPIE enabled and the remote host is listed = as > > > a trusted host in /etc/opieaccess. > > > 2. The user has OPIE enabled and the remote host is listed as a trust= ed > > > host in /etc/opieaccess, and the user does not have a file > > > named .opiealways in his home directory. > > > > > > Or at least this should be an option for pam_opieaccess. > >=20 > > Seems like a good idea, at first blush (provided it's optional). Do yo= u > > have a patch? > >=20 > > DES >=20 > I will make a scratch. I'll submit it to the list on the weekend. >=20 --=20 Miguel Ramos PGP A006A14C --=-n11d+Dm0OfqZv4/Rwqg8 Content-Disposition: attachment; filename="pam_opieaccess.8.diff" Content-Type: text/x-patch; name="pam_opieaccess.8.diff"; charset="UTF-8" Content-Transfer-Encoding: base64 LS0tIHBhbV9vcGllYWNjZXNzLjgub3JpZwkyMDExLTAzLTExIDIwOjI1OjAzLjAwMDAwMDAwMCAr MDAwMA0KKysrIHBhbV9vcGllYWNjZXNzLjgJMjAxMS0wMy0xMSAyMDozMjowMy4wMDAwMDAwMDAg KzAwMDANCkBAIC05Niw3ICs5NiwxMiBAQA0KIC5EdiBQQU1fQVVUSF9FUlIgLg0KIC5QcA0KIFRo ZSBmb2xsb3dpbmcgb3B0aW9ucyBtYXkgYmUgcGFzc2VkIHRvIHRoZSBhdXRoZW50aWNhdGlvbiBt b2R1bGU6DQotLkJsIC10YWcgLXdpZHRoICIuQ20gYWxsb3dfbG9jYWwiDQorLkJsIC10YWcgLXdp ZHRoICIuQ20gcmVxdWlyZV90cnVzdGVkIg0KKy5JdCBDbSByZXF1aXJlX3RydXN0ZWQNCitOb3Jt YWxseSwgYSBsb2dpbiBmb3IgYSB1c2VyIHdoaWNoIGRvZXMgbm90IGhhdmUgT1BJRSBlbmFibGVk IGlzDQorYWxsb3dlZCB0aHJvdWdoIHRoaXMgbW9kdWxlLg0KK1RoaXMgb3B0aW9uLCBjYXVzZXMg dGhlIHRydXN0ZWQgaG9zdCBjaGVjayB0byBiZSBlbmZvcmNlZCBldmVuIGZvcg0KK3VzZXJzIHdo aWNoIGRvIG5vdCBoYXZlIE9QSUUgZW5hYmxlZC4NCiAuSXQgQ20gYWxsb3dfbG9jYWwNCiBOb3Jt YWxseSwgbG9jYWwgbG9naW5zIGFyZSBzdWJqZWN0ZWQgdG8gdGhlIHNhbWUgcmVzdHJpY3Rpb25z IGFzDQogcmVtb3RlIGxvZ2lucyBmcm9tDQo= --=-n11d+Dm0OfqZv4/Rwqg8 Content-Disposition: attachment; filename="pam_opieaccess_favorite.diff" Content-Type: text/x-patch; name="pam_opieaccess_favorite.diff"; charset="UTF-8" Content-Transfer-Encoding: base64 LS0tIHBhbV9vcGllYWNjZXNzLmMJMjAxMS0wMy0xMSAyMDoyMjo0Mi4wMDAwMDAwMDAgKzAwMDAN CisrKyBwYW1fb3BpZWFjY2Vzc19mYXZvcml0ZS5jCTIwMTEtMDMtMTEgMjA6MTg6MDYuMDAwMDAw MDAwICswMDAwDQpAQCAtNTYsNyArNTYsMTAgQEANCiAJc3RydWN0IG9waWUgb3BpZTsNCiAJc3Ry dWN0IHBhc3N3ZCAqcHdlbnQ7DQogCWNvbnN0IHZvaWQgKmx1c2VyLCAqcmhvc3Q7DQotCWludCBy Ow0KKwlpbnQgciwgYWxsb3dfbG9jYWwsIHJlcXVpcmVfdHJ1c3RlZCwgb3BpZV91c2VyOw0KKw0K KwlhbGxvd19sb2NhbCA9IG9wZW5wYW1fZ2V0X29wdGlvbihwYW1oLCAiYWxsb3dfbG9jYWwiKSAh PSAwOw0KKwlyZXF1aXJlX3RydXN0ZWQgPSBvcGVucGFtX2dldF9vcHRpb24ocGFtaCwgInJlcXVp cmVfdHJ1c3RlZCIpICE9IDA7DQogDQogCXIgPSBwYW1fZ2V0X2l0ZW0ocGFtaCwgUEFNX1VTRVIs ICZsdXNlcik7DQogCWlmIChyICE9IFBBTV9TVUNDRVNTKQ0KQEAgLTY0LDI0ICs2NywzMSBAQA0K IAlpZiAobHVzZXIgPT0gTlVMTCkNCiAJCXJldHVybiAoUEFNX1NFUlZJQ0VfRVJSKTsNCiANCi0J cHdlbnQgPSBnZXRwd25hbShsdXNlcik7DQotCWlmIChwd2VudCA9PSBOVUxMIHx8IG9waWVsb29r dXAoJm9waWUsIF9fREVDT05TVChjaGFyICosIGx1c2VyKSkgIT0gMCkNCi0JCXJldHVybiAoUEFN X1NVQ0NFU1MpOw0KLQ0KIAlyID0gcGFtX2dldF9pdGVtKHBhbWgsIFBBTV9SSE9TVCwgJnJob3N0 KTsNCiAJaWYgKHIgIT0gUEFNX1NVQ0NFU1MpDQogCQlyZXR1cm4gKHIpOw0KIAlpZiAocmhvc3Qg PT0gTlVMTCB8fCAqKGNvbnN0IGNoYXIgKilyaG9zdCA9PSAnXDAnKQ0KLQkJcmhvc3QgPSBvcGVu cGFtX2dldF9vcHRpb24ocGFtaCwgImFsbG93X2xvY2FsIikgPw0KLQkJICAgICIiIDogImxvY2Fs aG9zdCI7DQorCQlyaG9zdCA9IGFsbG93X2xvY2FsID8gIiIgOiAibG9jYWxob3N0IjsNCiANCi0J aWYgKG9waWVhY2Nlc3NmaWxlKF9fREVDT05TVChjaGFyICosIHJob3N0KSkgIT0gMCAmJg0KLQkg ICAgb3BpZWFsd2F5cyhwd2VudC0+cHdfZGlyKSAhPSAwKQ0KLQkJcmV0dXJuIChQQU1fU1VDQ0VT Uyk7DQorCWlmIChyZXF1aXJlX3RydXN0ZWQgJiYgb3BpZWFjY2Vzc2ZpbGUoX19ERUNPTlNUKGNo YXIqLCByaG9zdCkpID09IDApIHsNCisJCVBBTV9WRVJCT1NFX0VSUk9SKCJSZWZ1c2VkOyByZW1v dGUgaG9zdCBpcyBub3QgaW4gb3BpZWFjY2VzcyIpOw0KKwkJcmV0dXJuIChQQU1fQVVUSF9FUlIp Ow0KKwl9DQogDQotCVBBTV9WRVJCT1NFX0VSUk9SKCJSZWZ1c2VkOyByZW1vdGUgaG9zdCBpcyBu b3QgaW4gb3BpZWFjY2VzcyIpOw0KKwlwd2VudCA9IGdldHB3bmFtKGx1c2VyKTsNCisJb3BpZV91 c2VyID0gb3BpZWxvb2t1cCgmb3BpZSwgX19ERUNPTlNUKGNoYXIqLCBsdXNlcikpID09IDA7DQor DQorCWlmIChvcGllX3VzZXIgJiYgcHdlbnQgIT0gTlVMTCAmJiBvcGllYWx3YXlzKHB3ZW50LT5w d19kaXIpID09IDApIHsNCisJCVBBTV9WRVJCT1NFX0VSUk9SKCJSZWZ1c2VkOyB1c2VyIG11c3Qg dXNlIE9QSUUiKTsNCisJCXJldHVybiAoUEFNX0FVVEhfRVJSKTsNCisJfQ0KKw0KKwlpZiAoIXJl cXVpcmVfdHJ1c3RlZCAmJiBvcGllX3VzZXIgJiYgb3BpZWFjY2Vzc2ZpbGUoX19ERUNPTlNUKGNo YXIqLCByaG9zdCkpID09IDApIHsNCisJCVBBTV9WRVJCT1NFX0VSUk9SKCJSZWZ1c2VkOyByZW1v dGUgaG9zdCBpcyBub3QgaW4gb3BpZWFjY2VzcyIpOw0KKwkJcmV0dXJuIChQQU1fQVVUSF9FUlIp Ow0KKwl9DQogDQotCXJldHVybiAoUEFNX0FVVEhfRVJSKTsNCisJcmV0dXJuIChQQU1fU1VDQ0VT Uyk7DQogfQ0KIA0KIFBBTV9FWFRFUk4gaW50DQo= --=-n11d+Dm0OfqZv4/Rwqg8 Content-Disposition: attachment; filename="pam_opieaccess_mindiff.diff" Content-Type: text/x-patch; name="pam_opieaccess_mindiff.diff"; charset="UTF-8" Content-Transfer-Encoding: base64 LS0tIHBhbV9vcGllYWNjZXNzLmMJMjAxMS0wMy0xMSAyMDoyMjo0Mi4wMDAwMDAwMDAgKzAwMDAN CisrKyBwYW1fb3BpZWFjY2Vzc19taW5kaWZmLmMJMjAxMS0wMy0xMSAxOTowNzoxOS4zMTIyNDMw MDAgKzAwMDANCkBAIC02NCwxMCArNjQsNiBAQA0KIAlpZiAobHVzZXIgPT0gTlVMTCkNCiAJCXJl dHVybiAoUEFNX1NFUlZJQ0VfRVJSKTsNCiANCi0JcHdlbnQgPSBnZXRwd25hbShsdXNlcik7DQot CWlmIChwd2VudCA9PSBOVUxMIHx8IG9waWVsb29rdXAoJm9waWUsIF9fREVDT05TVChjaGFyICos IGx1c2VyKSkgIT0gMCkNCi0JCXJldHVybiAoUEFNX1NVQ0NFU1MpOw0KLQ0KIAlyID0gcGFtX2dl dF9pdGVtKHBhbWgsIFBBTV9SSE9TVCwgJnJob3N0KTsNCiAJaWYgKHIgIT0gUEFNX1NVQ0NFU1Mp DQogCQlyZXR1cm4gKHIpOw0KQEAgLTc1LDYgKzcxLDE0IEBADQogCQlyaG9zdCA9IG9wZW5wYW1f Z2V0X29wdGlvbihwYW1oLCAiYWxsb3dfbG9jYWwiKSA/DQogCQkgICAgIiIgOiAibG9jYWxob3N0 IjsNCiANCisJaWYgKG9wZW5wYW1fZ2V0X29wdGlvbihwYW1oLCAicmVxdWlyZV90cnVzdGVkIikg JiYNCisJICAgIG9waWVhY2Nlc3NmaWxlKF9fREVDT05TVChjaGFyKiwgcmhvc3QpKSA9PSAwKQ0K KwkJcmV0dXJuIChQQU1fQVVUSF9FUlIpOw0KKw0KKwlwd2VudCA9IGdldHB3bmFtKGx1c2VyKTsN CisJaWYgKHB3ZW50ID09IE5VTEwgfHwgb3BpZWxvb2t1cCgmb3BpZSwgX19ERUNPTlNUKGNoYXIg KiwgbHVzZXIpKSAhPSAwKQ0KKwkJcmV0dXJuIChQQU1fU1VDQ0VTUyk7DQorDQogCWlmIChvcGll YWNjZXNzZmlsZShfX0RFQ09OU1QoY2hhciAqLCByaG9zdCkpICE9IDAgJiYNCiAJICAgIG9waWVh bHdheXMocHdlbnQtPnB3X2RpcikgIT0gMCkNCiAJCXJldHVybiAoUEFNX1NVQ0NFU1MpOw0K --=-n11d+Dm0OfqZv4/Rwqg8 Content-Disposition: attachment; filename="pam_opieaccess_nestedif.diff" Content-Type: text/x-patch; name="pam_opieaccess_nestedif.diff"; charset="UTF-8" Content-Transfer-Encoding: base64 LS0tIHBhbV9vcGllYWNjZXNzLmMJMjAxMS0wMy0xMSAyMDoyMjo0Mi4wMDAwMDAwMDAgKzAwMDAN CisrKyBwYW1fb3BpZWFjY2Vzc19uZXN0ZWRpZi5jCTIwMTEtMDMtMTEgMTk6MjE6NTcuMDAwMDAw MDAwICswMDAwDQpAQCAtNjQsMTAgKzY0LDYgQEANCiAJaWYgKGx1c2VyID09IE5VTEwpDQogCQly ZXR1cm4gKFBBTV9TRVJWSUNFX0VSUik7DQogDQotCXB3ZW50ID0gZ2V0cHduYW0obHVzZXIpOw0K LQlpZiAocHdlbnQgPT0gTlVMTCB8fCBvcGllbG9va3VwKCZvcGllLCBfX0RFQ09OU1QoY2hhciAq LCBsdXNlcikpICE9IDApDQotCQlyZXR1cm4gKFBBTV9TVUNDRVNTKTsNCi0NCiAJciA9IHBhbV9n ZXRfaXRlbShwYW1oLCBQQU1fUkhPU1QsICZyaG9zdCk7DQogCWlmIChyICE9IFBBTV9TVUNDRVNT KQ0KIAkJcmV0dXJuIChyKTsNCkBAIC03NSw5ICs3MSwxNiBAQA0KIAkJcmhvc3QgPSBvcGVucGFt X2dldF9vcHRpb24ocGFtaCwgImFsbG93X2xvY2FsIikgPw0KIAkJICAgICIiIDogImxvY2FsaG9z dCI7DQogDQotCWlmIChvcGllYWNjZXNzZmlsZShfX0RFQ09OU1QoY2hhciAqLCByaG9zdCkpICE9 IDAgJiYNCi0JICAgIG9waWVhbHdheXMocHdlbnQtPnB3X2RpcikgIT0gMCkNCi0JCXJldHVybiAo UEFNX1NVQ0NFU1MpOw0KKwlpZiAoIW9wZW5wYW1fZ2V0X29wdGlvbihwYW1oLCAicmVxdWlyZV90 cnVzdGVkIikgfHwNCisJICAgIG9waWVhY2Nlc3NmaWxlKF9fREVDT05TVChjaGFyKiwgcmhvc3Qp KSAhPSAwKSB7DQorCQlwd2VudCA9IGdldHB3bmFtKGx1c2VyKTsNCisJCWlmIChwd2VudCA9PSBO VUxMIHx8IG9waWVsb29rdXAoJm9waWUsIF9fREVDT05TVChjaGFyICosIGx1c2VyKSkgIT0gMCkN CisJCQlyZXR1cm4gKFBBTV9TVUNDRVNTKTsNCisNCisJCWlmIChvcGllYWNjZXNzZmlsZShfX0RF Q09OU1QoY2hhciAqLCByaG9zdCkpICE9IDAgJiYNCisJCSAgICBvcGllYWx3YXlzKHB3ZW50LT5w d19kaXIpICE9IDApDQorCQkJcmV0dXJuIChQQU1fU1VDQ0VTUyk7DQorCX0NCiANCiAJUEFNX1ZF UkJPU0VfRVJST1IoIlJlZnVzZWQ7IHJlbW90ZSBob3N0IGlzIG5vdCBpbiBvcGllYWNjZXNzIik7 DQogDQo= --=-n11d+Dm0OfqZv4/Rwqg8-- From owner-freebsd-security@FreeBSD.ORG Sat Mar 12 12:12:08 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 09C4E1065672 for ; Sat, 12 Mar 2011 12:12:08 +0000 (UTC) (envelope-from simias.n@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 874AD8FC0C for ; Sat, 12 Mar 2011 12:12:07 +0000 (UTC) Received: by wyf23 with SMTP id 23so3791295wyf.13 for ; Sat, 12 Mar 2011 04:12:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:date:from:to:subject:message-id :mail-followup-to:references:mime-version:content-type :content-disposition:in-reply-to:user-agent; bh=bxQbAp21o0he2+YnfmR7zdpKLJ9tkSf8wiubnaygVPs=; b=BudCRcM66yEFZlY3HFMetmodcaS9Ob1nFaE52jbtrkzyWefkTOP2uAauqs/JjfRZX1 Ajz8ywOvSz8EUQ600Gi9/Aoglwl+km+4rvcOBlmVGkBkGXsXyvCUFzcexjtKkiPW8Qy7 ZBPBH6XsIGdszT8rdWxxu+8JjManngh3VALI4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition:in-reply-to :user-agent; b=v6qkn+kI0t7jEreeN1eWw7en4x3H9PeOig5NHibsn6ait0cXe0aNMs6fscWdH2/Kwe 23X8E0vkipXe3F64UKDHxVCZJ/YB75/cZWKpMCwzIKHpbmO0tf3+DV0yPmfi0Str8UsE EGmDKrRP886EXwIHngRWIlyyLKNy44NCVOIZ4= Received: by 10.216.121.130 with SMTP id r2mr8683236weh.96.1299931926284; Sat, 12 Mar 2011 04:12:06 -0800 (PST) Received: from localhost (home.svkt.org [82.243.51.8]) by mx.google.com with ESMTPS id r57sm2712574wes.25.2011.03.12.04.12.02 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 12 Mar 2011 04:12:03 -0800 (PST) Date: Sat, 12 Mar 2011 12:12:01 +0000 From: Lionel Flandrin To: freebsd-security@freebsd.org Message-ID: <20110312121200.GJ9421@shame.svkt.org> Mail-Followup-To: freebsd-security@freebsd.org References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <1299798547.20831.59.camel@w500.local> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="iAzLNm1y1mIRgolD" Content-Disposition: inline In-Reply-To: <1299798547.20831.59.camel@w500.local> User-Agent: Mutt/1.5.21 (2010-09-15) Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Mar 2011 12:12:08 -0000 --iAzLNm1y1mIRgolD Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 10, 2011 at 11:09:07PM +0000, Miguel Lopes Santos Ramos wrote: >=20 > Qui, 2011-03-10 =E0s 20:26 +0000, Lionel Flandrin escreveu: > > On Thu, Mar 10, 2011 at 07:12:41PM +0000, Miguel Lopes Santos Ramos wro= te: > > >=20 > > > Thanks. I'll probably be looking into that sooner or latter. > > >=20 > > > However, OPIE, nobody cares about OPIE? > >=20 > > Hi, > >=20 > > I do care about OPIE, >=20 > Thanks!! >=20 > > but it has many shortcomings arguably more > > critical than the one you're pointing out. What bothers me most is the > > absence of a prefix password and the possibility that someone may > > highjack my session if he's replaying my input and sends the \n before > > I do. See the wikipedia page about OTPW[1] for a more detailed > > explanation about that. OTPW is an alternative to OPIE that aims at > > correcting these issues. >=20 > Well, I had never heard of OTPW, thanks for the pointer. But I'm not > concerned about those problems you mentioned: >=20 > - As to the possibility of someone hijacking my session and sending \n > before I do, I don't care for that because I only use SSH (the same > comment would apply to your solution with https). That problem would be > valid for cleartext sessions not encrypted with a session key. If > someone can hijack my SSH session... hey, then all is lost in any case, > the least I care about then is my password... Even with SSH/HTTPS you're at risk if someone hijacks your session not by man-in-the-middle'ing your network connection but by using a keylogger directly on your guest OS or even on your USB port. > - About prefix passwords, I just gave a quick read on that wikipedia > page, but that seems to me important for the case where you take a list > of passwords with you, and I wouldn't do that. And because OTPW is to be > used like that, I don't think I would use it. I use OPIE when I have no > other solution, I didn't take anything with me. At any moment, I > download an OTP calculator and log in. If I'm supposed to carry > anything, I'll prefer to carry an SSH key, a lot safer. Well I use my cell phone to calculate the OTP, but right now I have the passphrase stored on my cell phone (because it's a pain to type a complex passphrase on these devices for me) so I'd like to have an other, shorter and less secure prefix password that would just give me some time to reset the main passphrase if my phone gets stolen. By the way, I'm working on a dirty hack right now that would in effect give me that: I plan to modify the OTP calculator I use so that it would save only a portion of the passphrase, and I would have to enter the last few characters (say, a 4 digit PIN-like code) by hand each time. This way I can have a complex non-bruteforceable passphrase that I can store on my trusted cellphone plus something that protects me for a while if my cellphone gets stolen. It's still a dirty hack tho. > - The objection on S/KEY on that wiki page, that it's possible to > compute all previous passwords, is a bit odd, since past passwords won't > be used anymore. Yeah, that's a bit contrived, I guess it's only dangerous if you print a list of passwords and for some reason the last ones of them get compromised. > - That S/KEY uses small english words actually helps a lot. > >=20 > > I'd try to install and configure OTPW on my server to replace OPIE, > > but it's not in the ports and I don't know PAM well enough to try and > > mess with it, I would probably end up opening more security holes than > > I'm fixing. > >=20 > > Since these days many of us use cell phones where it's easy to write > > and distribute challenge/response generators I don't understand why > > there seems to be so little interest in developing and improving one > > time passwords solutions (including for websites, I wonder how many > > facebook/twitter/whatever accounts I could steal by putting keyloggers > > in an internet cafe). >=20 > One time passwords made the most sense with insecure connections. Over a > secure session, such as ssh or https, in principle, a strong password is > just as strong. One time passwords add no security if in the end all > amounts to a brute force attack. Again, encryption will not stop a keylogger on an untrusted computer. Everything is still clear text until it's written into the SSL/SSH socket. And it's not exactly difficult or super expensive to install: http://www.amazon.com/dp/B004IA69YE =20 > However, to me, in practice, they do add security, because: > - One time passwords lead to a larger search space, unless when compared > to random passwords. Random passwords however end up having to be > written in something that must be carried. > - Obviously, it's an additional layer of security that the attacker > would have to be aware of (even though this counts as zero). > - One time passwords don't get compromised as easily, because you would > have to be really foolish to use your passphrase anywhere else or write > it down. >=20 >=20 > So, it really is questionable if they are any better in the world of > encrypted connections. >=20 >=20 > > I would gladly look into it myself but the subject is so security > > critical that I'm a little put off. If one of you knows of a project > > working on improving or replacing OPIE, I would gladly look into it > > and try to contribute if I can. Maybe this project _is_ OTPW? Why > > isn't it in the ports yet when the Wikipedia article claims it > > supports FreeBSD? Has anyone here tried it? > >=20 > > As for OpenVPN, it is a really good piece of software and you should > > have a look at it, but I can imagine scenarios where a one time > > password would be better suited than a complete VPN setup (For > > instance I use OPIE and shellinabox[2] over HTTPS to connect to my > > server from anywhere I can find a web browser, no need to install any > > additional software). > >=20 > > [1] https://secure.wikimedia.org/wikipedia/en/wiki/OTPW > > [2] https://code.google.com/p/shellinabox/ > >=20 > > Cheers, >=20 >=20 > Thanks for the pointers. That shellinabox is really cool. > However, to me it's a lot easier to setup OpenSSH than it is to setup an > https web server. I don't mind having to install PuTTY or FileZilla once > a week, I already can navigate Simon Tatham's home page blindfolded. >=20 > Regards, >=20 > --=20 > Miguel Ramos > PGP A006A14C --=20 Lionel Flandrin --iAzLNm1y1mIRgolD Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iEYEAREKAAYFAk17YxAACgkQlfFEoIrYgB3wqwCfdZmPDyH4z3xcZfSTeh+AVLfJ mcoAn1QoHoN7RqKsGqYX8Bax/yybiQxB =vyN4 -----END PGP SIGNATURE----- --iAzLNm1y1mIRgolD-- From owner-freebsd-security@FreeBSD.ORG Sat Mar 12 22:15:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A610F1065670 for ; Sat, 12 Mar 2011 22:15:29 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 772438FC13 for ; Sat, 12 Mar 2011 22:15:29 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 00602594010; Sat, 12 Mar 2011 14:15:18 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Sat, 12 Mar 2011 14:15:18 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2CMF5lm012961; Sat, 12 Mar 2011 22:15:05 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2CMF1Dq012959; Sat, 12 Mar 2011 22:15:01 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Lionel Flandrin In-Reply-To: <20110312121200.GJ9421@shame.svkt.org> References: <1299682310.17149.24.camel@w500.local> <1299769253.20266.23.camel@w500.local> <2E5C0CE8-4F70-4A4D-A91D-3274FD394C80@elvandar.org> <1299784361.18199.4.camel@w500.local> <20110310202653.GG9421@shame.svkt.org> <1299798547.20831.59.camel@w500.local> <20110312121200.GJ9421@shame.svkt.org> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Sat, 12 Mar 2011 22:15:01 +0000 Message-ID: <1299968101.12752.16.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 2236.4d7bf076.956d3.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Mar 2011 22:15:29 -0000 S=C3=A1b, 2011-03-12 =C3=A0s 12:12 +0000, Lionel Flandrin escreveu: (...) > Even with SSH/HTTPS you're at risk if someone hijacks your session not > by man-in-the-middle'ing your network connection but by using a > keylogger directly on your guest OS or even on your USB port. (...) > By the way, I'm working on a dirty hack right now that would in effect > give me that: I plan to modify the OTP calculator I use so that it > would save only a portion of the passphrase, and I would have to enter > the last few characters (say, a 4 digit PIN-like code) by hand each > time. This way I can have a complex non-bruteforceable passphrase that > I can store on my trusted cellphone plus something that protects me > for a while if my cellphone gets stolen. It's still a dirty hack tho. The math of that sounds a bit hard... You're talking about OTPW, not OPIE, is it? (...) > Again, encryption will not stop a keylogger on an untrusted > computer. Everything is still clear text until it's written into the > SSL/SSH socket. And it's not exactly difficult or super expensive to > install: http://www.amazon.com/dp/B004IA69YE Well a device like that would catch me any time (hackers, welcome!), even when I use OPIE (because I don't use a separate device, a cell phone). Somewhere we have to draw a line, and my line is there. But when I look around me, to my physical/social environment, I feel pretty confident. I guess the most real risk I face is someone pointing a knife at me... My problem with passwords, even passwords generated by dd if=3D/dev/random bs=3D6 count=3D1 | base64, is seeing dozens, sometimes hundreds of login attempts per day at any SSH server I open. Even though they're stupid attempts, which don't even guess a valid username (which is pretty easy, let me tell you), they make me feel that an 8 random character password can be guessed by accident. In my physical environment, I don't see the slightest threat (at least not one which does not involve knives). --=20 Miguel Ramos PGP A006A14C