From owner-freebsd-security@FreeBSD.ORG Mon Jun 21 06:54:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72E1316A4CE for ; Mon, 21 Jun 2004 06:54:49 +0000 (GMT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 2047443D1F for ; Mon, 21 Jun 2004 06:54:48 +0000 (GMT) (envelope-from roam@ringlet.net) Received: (qmail 8542 invoked from network); 21 Jun 2004 06:52:16 -0000 Received: from office.sbnd.net (HELO straylight.m.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 21 Jun 2004 06:52:15 -0000 Received: (qmail 8033 invoked by uid 1000); 21 Jun 2004 06:54:32 -0000 Date: Mon, 21 Jun 2004 09:54:31 +0300 From: Peter Pentchev To: Charles Sprickman Message-ID: <20040621065431.GA970@straylight.m.ringlet.net> Mail-Followup-To: Charles Sprickman , freebsd-security@freebsd.org References: <20040618161910.C70190@shell.inch.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline In-Reply-To: <20040618161910.C70190@shell.inch.com> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: 4.x, PAM, password facility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2004 06:54:49 -0000 --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 18, 2004 at 04:26:19PM -0400, Charles Sprickman wrote: [snip] > And since I know there's someone lurking here that knows this, is there > any way to have OpenSSH deny a login when a user has key-based auth setup > on their account? I never found a good way to take care of that; changing > the shell, etc. is a bit awkward. The sshd_config(5) manual page for OpenSSH in both -STABLE and -CURRENT mentions Allow/DenyUsers/Groups. I'm not sure how long this has been around, though - I seem to remember a time when only ssh.com's sshd supported this. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I had finished this sentence, --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFA1oYn7Ri2jRYZRVMRAje2AJ4wd5wLCtHvydb0dep9R+wNEC91xgCgjNZW xeS9uf3BIby0zk/Vkdm3GU4= =4WmR -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- From owner-freebsd-security@FreeBSD.ORG Mon Jun 21 15:10:59 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E19C16A4CE for ; Mon, 21 Jun 2004 15:10:59 +0000 (GMT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1BC743D49 for ; Mon, 21 Jun 2004 15:10:58 +0000 (GMT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id BC915530D; Mon, 21 Jun 2004 17:10:57 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id AD4A1530A; Mon, 21 Jun 2004 17:10:50 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 4BC31B86C; Mon, 21 Jun 2004 17:10:50 +0200 (CEST) To: Charles Sprickman References: <20040618161910.C70190@shell.inch.com> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Mon, 21 Jun 2004 17:10:50 +0200 In-Reply-To: <20040618161910.C70190@shell.inch.com> (Charles Sprickman's message of "Fri, 18 Jun 2004 16:26:19 -0400 (EDT)") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org Subject: Re: 4.x, PAM, password facility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jun 2004 15:10:59 -0000 Charles Sprickman writes: > I would have expected a "pam_unix.so" there instead. Is the password > facility implemented in 4.x? no. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Jun 22 15:56:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAFAD16A4CE for ; Tue, 22 Jun 2004 15:56:21 +0000 (GMT) Received: from postino-1.etat.lu (postino-1.etat.lu [194.154.205.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D28B43D45 for ; Tue, 22 Jun 2004 15:56:21 +0000 (GMT) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by postino-1.etat.lu (Postfix) with ESMTP id B92CB88DD8E for ; Tue, 22 Jun 2004 17:55:56 +0200 (CEST) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by localhost (CIE ESMTP Dispatch 1) with ESMTP id C3D463A2 for ; Tue, 22 Jun 2004 17:55:56 +0200 (CEST) Received: from hermes-1 (hermes-1.cie.etat.lu [148.110.136.56]) B245539D for ; Tue, 22 Jun 2004 17:55:56 +0200 (CEST) Received: from conversion-daemon.mail.etat.lu by mail.etat.lu (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) id <0HZP00001W50BE@mail.etat.lu> for freebsd-security@freebsd.org; Tue, 22 Jun 2004 17:55:56 +0200 (MEST) Received: from lucy ([148.110.43.189])18 2003)) freebsd-security@freebsd.org; Tue, 22 Jun 2004 17:55:56 +0200 (MEST) Date: Tue, 22 Jun 2004 17:55:55 +0200 From: Didier Wiroth To: freebsd-security@freebsd.org Message-id: <0HZP00GS3W981A@mail.etat.lu> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Thread-index: AcRYcWa1iYeESOXER82YX53uuYfoAQ== Subject: Opieaccess file, is this normal? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2004 15:56:21 -0000 Hi, I'm trying to setup one-time passwords on freebsd5.2.1 >From what I've read so far, if the user is present in opiekeys, the opieaccess file determines if the user (coming from a specific host or network) is allowed to use his unix password from this specific network. As my opieaccess file is empty and the default rule (as mentionned in the man file) is deny, I should not be able to get an ssh shell with my standard unix password. I've made a test on test machine running ssh (version sshd version OpenSSH_3.6.1p1 FreeBSD-20030924). The opiekey contains one user, me actually. The opieaccess file is empty so (by default) unix password should not be allowed when connecting through ssh. I enter a few times "enter" and sshd switches to the next authentication method "password". Now I can enter my standard password and I'm logged in, even if I should only be allowed to use the opie passwords. Why? Isn't this a bug? Here is the ssh -v output: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/didier/.ssh/identity debug1: Trying private key: /home/didier/.ssh/id_rsa debug1: Trying private key: /home/didier/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive otp-md5 300 pw9999 ext Password: otp-md5 300 pw9999 ext Password [echo on]: debug1: Authentications that can continue: publickey,password,keyboard-interactive otp-md5 300 pw9999 ext Password: debug1: Authentications that can continue: publickey,password,keyboard-interactive otp-md5 300 pw9999 ext Password: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password didier@localhost's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: channel 0: request pty-req debug1: channel 0: request shell debug1: channel 0: open confirm rwindow 0 rmax 32768 Thanks a lot From owner-freebsd-security@FreeBSD.ORG Tue Jun 22 16:34:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6ECF916A4CE for ; Tue, 22 Jun 2004 16:34:28 +0000 (GMT) Received: from radix.cryptio.net (radix.cryptio.net [64.81.55.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CB9C43D41 for ; Tue, 22 Jun 2004 16:34:27 +0000 (GMT) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.10/8.12.10) with ESMTP id i5MGY7gV016899 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 22 Jun 2004 09:34:07 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.10/8.12.10/Submit) id i5MGY71Y016898; Tue, 22 Jun 2004 09:34:07 -0700 (PDT) (envelope-from emechler) Date: Tue, 22 Jun 2004 09:34:07 -0700 From: Erick Mechler To: Didier Wiroth Message-ID: <20040622163407.GQ75424@techometer.net> References: <0HZP00GS3W981A@mail.etat.lu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0HZP00GS3W981A@mail.etat.lu> User-Agent: Mutt/1.4.2.1i cc: freebsd-security@freebsd.org Subject: Re: Opieaccess file, is this normal? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2004 16:34:28 -0000 :: >From what I've read so far, if the user is present in opiekeys, the :: opieaccess file determines if the user (coming from a specific host or :: network) is allowed to use his unix password from this specific network. :: :: As my opieaccess file is empty and the default rule (as mentionned in the :: man file) is deny, I should not be able to get an ssh shell with my standard :: unix password. OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication is set to yes: ChallengeResponseAuthentication Specifies whether challenge-response authentication is allowed. Specifically, in FreeBSD, this controls the use of PAM (see pam(3)) for authentication. Note that this affects the effec- tiveness of the PasswordAuthentication and PermitRootLogin vari- ables. The default is ``yes''. Does your /etc/pam.conf disble password authentication? Cheers - Erick From owner-freebsd-security@FreeBSD.ORG Thu Jun 24 07:05:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BDF416A4CE for ; Thu, 24 Jun 2004 07:05:50 +0000 (GMT) Received: from postino-2.etat.lu (postino-2.etat.lu [194.154.205.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9753B43D1F for ; Thu, 24 Jun 2004 07:05:49 +0000 (GMT) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by postino-2.etat.lu (Postfix) with ESMTP id 8EAFE4B82C9 for ; Thu, 24 Jun 2004 09:05:46 +0200 (CEST) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by localhost (CIE ESMTP Dispatch 1) with ESMTP id 80F98402 for ; Thu, 24 Jun 2004 09:05:46 +0200 (CEST) Received: from hermes-1 (hermes-1.cie.etat.lu [148.110.136.56]) 6659A3F4 for ; Thu, 24 Jun 2004 09:05:46 +0200 (CEST) Received: from conversion-daemon.mail.etat.lu by mail.etat.lu (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) id <0HZS00M01W8V0U@mail.etat.lu> for freebsd-security@freebsd.org; Thu, 24 Jun 2004 09:05:46 +0200 (MEST) Received: from lucy ([148.110.43.189])18 2003)) freebsd-security@freebsd.org; Thu, 24 Jun 2004 09:05:37 +0200 (MEST) Date: Thu, 24 Jun 2004 09:05:37 +0200 From: Didier Wiroth In-reply-to: <20040622163407.GQ75424@techometer.net> To: freebsd-security@freebsd.org Message-id: <0HZS001C8X1DVY@mail.etat.lu> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: QUOTED-PRINTABLE Thread-index: AcRYdt7ErP+UB8M5Tpqf3TeN/e/46QBQor3w Subject: RE: Opieaccess file, is this normal? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 07:05:50 -0000 Hi, Here is the content of /etc/pamd/ssh, it's actually the default, I di= dn't change it. auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow= _local auth required pam_unix.so no_warn try_first_pass account required pam_unix.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass =CE just want to point out the I want to keep "unix password authenti= cation" for the users whose host or network are in opieaccess. "Unix password authenication" should be disabled for all users present in opiekeys a= nd whose hosts or network is not present in opieaccess. -----Original Message----- =46rom: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Erick Mechle= r Sent: Tuesday, June 22, 2004 18:34 To: Didier Wiroth Cc: freebsd-security@freebsd.org Subject: Re: Opieaccess file, is this normal? :: >From what I've read so far, if the user is present in opiekeys, t= he :: opieaccess file determines if the user (coming from a specific hos= t or :: network) is allowed to use his unix password from this specific ne= twork.=20 ::=20 :: As my opieaccess file is empty and the default rule (as mentionned= in the :: man file) is deny, I should not be able to get an ssh shell with m= y standard :: unix password. OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication = is set to yes: ChallengeResponseAuthentication Specifies whether challenge-response authentication is a= llowed. Specifically, in FreeBSD, this controls the use of PAM (= see pam(3)) for authentication. Note that this affects the = effec- tiveness of the PasswordAuthentication and PermitRootLog= in vari- ables. The default is ``yes''. Does your /etc/pam.conf disble password authentication? Cheers - Erick _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebs= d.org" From owner-freebsd-security@FreeBSD.ORG Thu Jun 24 07:38:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E35F16A4CE for ; Thu, 24 Jun 2004 07:38:01 +0000 (GMT) Received: from postino-2.etat.lu (postino-2.etat.lu [194.154.205.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC96043D1D for ; Thu, 24 Jun 2004 07:38:00 +0000 (GMT) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by postino-2.etat.lu (Postfix) with ESMTP id 8885D4B8762 for ; Thu, 24 Jun 2004 09:37:46 +0200 (CEST) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by localhost (CIE ESMTP Dispatch 1) with ESMTP id 7C1504B5 for ; Thu, 24 Jun 2004 09:37:46 +0200 (CEST) Received: from hermes-1 (hermes-1.cie.etat.lu [148.110.136.56]) 6B3E34AC for ; Thu, 24 Jun 2004 09:37:46 +0200 (CEST) Received: from conversion-daemon.mail.etat.lu by mail.etat.lu (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) id <0HZS00C01X7X8X@mail.etat.lu> for freebsd-security@freebsd.org; Thu, 24 Jun 2004 09:37:46 +0200 (MEST) Received: from lucy ([148.110.43.189])18 2003)) freebsd-security@freebsd.org; Thu, 24 Jun 2004 09:37:40 +0200 (MEST) Date: Thu, 24 Jun 2004 09:37:39 +0200 From: Didier Wiroth To: freebsd-security@freebsd.org Message-id: <0HZS00158YISVY@mail.etat.lu> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: QUOTED-PRINTABLE Thread-index: AcRYdt7ErP+UB8M5Tpqf3TeN/e/46QBQor3wAAEgV2A= Subject: FW: Opieaccess file, is this normal? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 07:38:01 -0000 Hmm,=20 I thought using .opiealways would be the solution see: http://www.onlamp.com/pub/a/bsd/2003/02/20/FreeBSD_Basics.html Or http://people.freebsd.org/~des/diary/2002.html But I can still login with the standard password even if the opieacce= ss file is empty. -----Original Message----- =46rom: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Didier Wirot= h Sent: Thursday, June 24, 2004 09:06 To: freebsd-security@freebsd.org Subject: RE: Opieaccess file, is this normal? Hi, Here is the content of /etc/pamd/ssh, it's actually the default, I di= dn't change it. auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow= _local auth required pam_unix.so no_warn try_first_pass account required pam_unix.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass =CE just want to point out the I want to keep "unix password authenti= cation" for the users whose host or network are in opieaccess. "Unix password authenication" should be disabled for all users present in opiekeys a= nd whose hosts or network is not present in opieaccess. From owner-freebsd-security@FreeBSD.ORG Thu Jun 24 13:59:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E05E916A4CE for ; Thu, 24 Jun 2004 13:59:21 +0000 (GMT) Received: from meestal.stack.nl (meestal.stack.nl [131.155.140.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DFB143D49 for ; Thu, 24 Jun 2004 13:59:21 +0000 (GMT) (envelope-from jilles@stack.nl) Received: from mailhost.stack.nl (vaak.stack.nl [IPv6:2001:610:1108:5010:248:54ff:fe6b:2cec]) by meestal.stack.nl (Postfix) with ESMTP id 40DADDCF#24BBCFDA for ; Thu, 24 Jun 2004 15:57:35 +0200 (CEST) Received: from turtle.stack.nl (turtle.stack.nl [IPv6:2001:610:1108:5010::132]) by mailhost.stack.nl (Postfix) with ESMTP id 80A621F001; Thu, 24 Jun 2004 15:57:48 +0200 (CEST) Received: by turtle.stack.nl (Postfix, from userid 1677) id 566581CDEA; Thu, 24 Jun 2004 15:57:48 +0200 (CEST) Date: Thu, 24 Jun 2004 15:57:48 +0200 From: Jilles Tjoelker To: Didier Wiroth Message-ID: <20040624135747.GA12527@stack.nl> References: <0HZP00GS3W981A@mail.etat.lu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0HZP00GS3W981A@mail.etat.lu> X-Operating-System: FreeBSD 5.2.1-RELEASE-p8 i386 User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Opieaccess file, is this normal? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 13:59:22 -0000 On Tue, Jun 22, 2004 at 05:55:55PM +0200, Didier Wiroth wrote: > I'm trying to setup one-time passwords on freebsd5.2.1 > >From what I've read so far, if the user is present in opiekeys, the > opieaccess file determines if the user (coming from a specific host or > network) is allowed to use his unix password from this specific network. > As my opieaccess file is empty and the default rule (as mentionned in the > man file) is deny, I should not be able to get an ssh shell with my standard > unix password. > I've made a test on test machine running ssh (version sshd version > OpenSSH_3.6.1p1 FreeBSD-20030924). > The opiekey contains one user, me actually. > The opieaccess file is empty so (by default) unix password should not be > allowed when connecting through ssh. > I enter a few times "enter" and sshd switches to the next authentication > method "password". > Now I can enter my standard password and I'm logged in, even if I should > only be allowed to use the opie passwords. > Why? Isn't this a bug? > > Here is the ssh -v output: > [snip] > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Trying private key: /home/didier/.ssh/identity > debug1: Trying private key: /home/didier/.ssh/id_rsa > debug1: Trying private key: /home/didier/.ssh/id_dsa > debug1: Next authentication method: keyboard-interactive > otp-md5 300 pw9999 ext > Password: > otp-md5 300 pw9999 ext > Password [echo on]: > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > otp-md5 300 pw9999 ext > Password: > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > otp-md5 300 pw9999 ext > Password: > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Next authentication method: password > didier@localhost's password: > debug1: Authentication succeeded (password). [snip] Use PasswordAuthentication no in /etc/ssh/sshd_config. The PasswordAuthentication doesn't obey many PAM restrictions. ChallengeResponseAuthentication yes gives the "Password:" prompt and will allow unix passwords if permitted. For this reason, PasswordAuthentication no has become the default in -CURRENT. -- Jilles Tjoelker From owner-freebsd-security@FreeBSD.ORG Fri Jun 25 18:07:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 616D016A4CE for ; Fri, 25 Jun 2004 18:07:14 +0000 (GMT) Received: from lou.goepp.net (lou.goepp.net [66.134.255.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id E512643D2D for ; Fri, 25 Jun 2004 18:07:13 +0000 (GMT) (envelope-from freebsd@goepp.com) Received: from dg (h004005613eac.ne.client2.attbi.com [24.218.89.163]) by lou.goepp.net (Postfix) with SMTP id D05B9310 for ; Fri, 25 Jun 2004 14:06:39 -0400 (EDT) Message-ID: <000901c45adf$280fd6b0$800101df@dg> From: "Daniel Goepp" To: Date: Fri, 25 Jun 2004 14:06:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: mpd configure and route issues X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Jun 2004 18:07:14 -0000 I have searched google high and low for answers to this...and I have gotten many examples, howto, etc...but they all seem to have a slightly different configuration, and therefore, slightly different problems. Unfortunately, not enough of them show the network layout, along with the configuration, so it's hard to tell why certain IP are being used, and were they are on the network. I have what could be considered a fairly standard setup, and I'll bet an easy fix, but I'm just missing something. I have a single FreeBSD box that I'm setting up as a firewall / gateway / vpn for test purposes. External network: x.x.0.208/28 Internal network: y.y.1.0/24 FreeBSD 4.10-STABLE - mpd 3.19 Internal: fxp0: inet y.y.1.1 netmask 0xffffff00 broadcast y.y.1.255 External: dc0: inet x.x.0.222 netmask 0xfffffff0 broadcast x.x.0.223 Without any mpd stuff started: Destination Gateway Flags Refs Use Netif Expire default x.x.0.209 UGSc 2 15 dc0 x.x.0.208/28 link#2 UC 1 0 dc0 x.x.0.209 00:00:c5:94:ba:48 UHLW 3 0 dc0 1194 localhost localhost UH 0 0 lo0 y.y.1 link#1 UC 0 0 fxp0 Running ipfilter and ipnat, both of which work great. I have a rule set, but for testing purposes here, until I get this working, I do a pass in/out quick on all interfaces. ip.forward is on, and NAT is working. So as a firewall and gateway, I'm good, just no joy with the VPN yet. I will leave off most of the extra information about auth/crypt/compress/etc...since that whole part appears to be working just fine, I'm able to connect and authenticate. Also, for simplicity sake, assume just one VPN connection, if I get this working, I can see from the examples how to setup the rest. My first main question is in regards to putting the internal VPN connections in the same subnet as the existing internal LAN. Some people seem to, some don't. Either would be fine by me, but neither appears to work. The majority appear to just put the incoming IPs right in a range on their existing subnet, so I would assume that to be the standard method. So, let's say I want to put my incoming client at y.y.1.5, put this in my config: set ipcp ranges y.y.1.1/32 y.y.2.5/32 Now, y.y.1.1 is already the existing IP of this machine internally, and is now also going to be the termination point for the tunnel. Is this normal? It would appear to me that this could create conflict in routing. I tried making it y.y.1.2/32, no luck. Also, I wanted to make sure my external IP is in the right place, which it apepars to be, this part is working, I'm able to connect externally: set pptp self x.x.0.222 So with things setup this way, I fire it up, no errors: Jun 25 13:46:46 cap mpd: [pptp0] ppp node is "mpd142-pptp0" Jun 25 13:46:46 cap mpd: mpd: local IP address for PPTP is x.x.0.222 Jun 25 13:46:46 cap mpd: [pptp0] using interface ng0 And as I would expect, ifconfig now shows the new netgraph interface, there are no changes to the routing table. ng0: flags=8890 mtu 1500 I then connect my client, after all the authentication goes by without error, it leaves with: Jun 25 13:48:47 cap mpd: [pptp0] IPCP: LayerUp Jun 25 13:48:47 cap mpd: y.y.1.1 -> y.y.1.5 Jun 25 13:48:47 cap mpd: [pptp0] IFACE: Up event Jun 25 13:48:47 cap mpd: [pptp0] setting interface ng0 MTU to 1196 bytes Jun 25 13:48:47 cap mpd: [pptp0] exec: /sbin/ifconfig ng0 y.y.1.1 y.y.1.5 netmask 0xffffffff -link0 Jun 25 13:48:47 cap mpd: [pptp0] exec: /sbin/route add y.y.1.1 -iface lo0 Jun 25 13:48:47 cap mpd: [pptp0] IFACE: Up event And my route table now has this added on: y.y.1.1 lo0 UHS 0 0 lo0 y.y.1.5 192.168.1.1 UH 0 0 ng0 and ifconfig gives me: inet y.y.1.1 --> y.y.1.5 netmask 0xffffffff The first thing that jumps out at me here...lo0 as the interface!?!? That seems strange, but I don't see how to control this. >From my client, I can ping y.y.1.5, but not y.y.1.1, so it's not getting anything back from the other end of the tunnel. And from the server, I can of course still ping y.y.1.1, but not y.y.1.5, it gives: ping: sendto: No route to host. Now, this all seems to make sense to me, as to why it's doing what it's doing. But I don't know how to tell it to do what I want! I have played around with static routes and the arp proxy stuff, to no avail. I have tried moving the VPN clients to a different internal subnet, y.y.2.0/24, and got different results, but pretty much what I would have expected. Any help in this matter would be GREATLY appreciated! -Daniel From owner-freebsd-security@FreeBSD.ORG Sat Jun 26 20:06:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4DDA16A4CE for ; Sat, 26 Jun 2004 20:06:27 +0000 (GMT) Received: from metafocus.net (cbshost-12-155-142-123.sbcox.net [12.155.142.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6E80543D49 for ; Sat, 26 Jun 2004 20:06:27 +0000 (GMT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.12.10/8.12.10) with ESMTP id i5QKIWFN001444 for ; Sat, 26 Jun 2004 13:18:32 -0700 (PDT) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost)i5QKIWgG001441 for ; Sat, 26 Jun 2004 13:18:32 -0700 (PDT) (envelope-from mudman@metafocus.net) Date: Sat, 26 Jun 2004 13:18:32 -0700 (PDT) From: Dave To: freebsd-security@freebsd.org Message-ID: <20040626131219.T1249@metafocus.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: ttyv for local only? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jun 2004 20:06:27 -0000 I get this in my security postings. Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2 Jun [undisclosed time] [undiscl.] login: 2 LOGIN FAILURES ON ttyv2, qmaild As it turns out, I'm not running qmail :) And if I did, it would definitely have a nologin shell. But that's beside the point- I have had a perception that ttyv was for local/console logins, and that just "tty" was for remote logins. Is my understanding wrong here?