From owner-freebsd-security@FreeBSD.ORG Thu Mar 10 07:23:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 79292106566C for ; Thu, 10 Mar 2011 07:23:51 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id 37AEF8FC12 for ; Thu, 10 Mar 2011 07:23:50 +0000 (UTC) Received: by iyj12 with SMTP id 12so1522968iyj.13 for ; Wed, 09 Mar 2011 23:23:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:in-reply-to :message-id:references:user-agent:x-openpgp-key-id :x-openpgp-key-fingerprint:mime-version:content-type; bh=H6huG6bUiuHtP8ByvnOvgHMeaq+LBBWhW4LMBus490k=; b=CoGUq59M+IU+za03a9eDtA5udao9NnTURiR2gcEkoytngqIbrzNvTmVUssRfklVFL6 +hlxbugFZ5ncGQBfaolQ+yfBR3nAe068bfUfMj0OcHPBZFjPU3PaQrV3fNR1quFgPi5r 9PkEV+hLVPjt3peW2uhmVj9scVTlhi+mb6xE0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=hB6wAUzeOhCCdGOVMwEIolI3YfDecCyVy3ELLStdUTx4zA2i8nVlBOKdE7jFz5T4Cm ZdUYUAhEljzCC4l5NaTlzTk3GyoRvxpZzj940ijqQ8DxX+bdJWSSiyttzQy9VrbHVAEn ooJb6jBSmJhbli3Xb2ernL4+aW8iBHPlzA6m0= Received: by 10.42.145.193 with SMTP id g1mr9639865icv.278.1299741830435; Wed, 09 Mar 2011 23:23:50 -0800 (PST) Received: from disbatch.dataix.local (adsl-99-19-43-28.dsl.klmzmi.sbcglobal.net [99.19.43.28]) by mx.google.com with ESMTPS id wt14sm2013033icb.4.2011.03.09.23.23.47 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 09 Mar 2011 23:23:47 -0800 (PST) Sender: "J. Hellenthal" Date: Thu, 10 Mar 2011 02:23:29 -0500 From: "J. Hellenthal" To: Miguel Lopes Santos Ramos In-Reply-To: <1299682310.17149.24.camel@w500.local> Message-ID: References: <1299682310.17149.24.camel@w500.local> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Security Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2011 07:23:51 -0000 On Wed, 9 Mar 2011 09:51, mbox@ wrote: > > I think the way pam_opieaccess behaves is like "leave a security breach > by default". I think it would be more usefull if it returned PAM_SUCCESS > when: > > 1. The user does not have OPIE enabled and the remote host is listed as > a trusted host in /etc/opieaccess. > 2. The user has OPIE enabled and the remote host is listed as a trusted > host in /etc/opieaccess, and the user does not have a file > named .opiealways in his home directory. > > Or at least this should be an option for pam_opieaccess. > Does changing the following in /etc/pam.d/sshd help ? # auth (edited for length) -auth sufficient pam_opie.so no_warn no_fake_prompts +auth binding pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local There might be some other combinations that would change this behavior for you but you will have to consult with pam.conf(5) as this is a pretty big beast to sum up here. Tweaking PAM in some situations could lead you to undesired results. Putting something into place of a script that runs out of /etc/profile or /etc/shrc or whatever that greps the contents of /etc/opiekeys and prompts the user to run the correct commands or runs them the first time might just be a better long-term solution to enforcing they use OPIE. /etc/profile grep "^${LOGNAME} " /etc/opiekeys ||/usr/bin/opiepasswd -c ... Anyway I'm sure some other shell-masters@ will chime in at some point and possibly share what they have done in the past/present/future and offer up some real good insight on this. VPN access to the box(s) could be another solution where everyone is local and you don't need OPIE at all. \o/ -- Regards, J. Hellenthal (0x89D8547E) JJH48-ARIN