Date: Mon, 03 Nov 2003 10:20:00 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: Sergey Sysoev <lists@avtf.org> Cc: freebsd-questions@freebsd.org Subject: Re: opie bug or ..? Message-ID: <3FA69C50.9000602@tenebras.com> In-Reply-To: <16410385802.20031103113050@faeton1.ru> References: <16410385802.20031103113050@faeton1.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Forgive the top-post -- I have independently verified this, suggest you open a PR. This is definitely a bug in opiepasswd. It is also present in RELENG_4_8. Regards, Michael Sergey Sysoev wrote: > Hi. I have a question related to freebsd opie implementation. > I am running 4.9-RELEASE and I've tried to setup opie. > > *** 1 *** opiepasswd/opiekey > > I've added user using `opiepasswd -c "ssa"` > > mx2# opiepasswd -c "ssa" > Adding ssa: > Only use this method from the console; NEVER from remote. If you are using > telnet, xterm, or a dial-in, type ^C now or exit with no password. > Then run opiepasswd without the -c parameter. > Using MD5 to compute responses. > Enter new secret pass phrase: > Again new secret pass phrase: > > ID ssa OTP key is 499 mx1759 > WADE IFFY LAWN MEAD DANG BUB > mx2# > > And now I want to change it > > mx2# opiepasswd "ssa" > Updating ssa: > You need the response from an OTP generator. > New secret pass phrase: > otp-md5 499 mx17 > Response: > > You see that seed equal 'mx17', using opiekey: > > mx2# opiekey 499 mx17 > Using the MD5 algorithm to compute response. > Seeds must be greater than 5 characters long. > mx2# > > So it is not possible to update password in /etc/opiekey file, you > have to edit it manually and that add password again via 'opiepasswd'. > > > > *** 2*** opiekey > > opiekey could not generate response for zero sequence number when it > specified directly: > > mx2# opiekey -a 0 vo6199 > Using the MD5 algorithm to compute response. > Sequence number 0 is not positive. > > but it works fine in case of: > > mx2# opiekey -n5 1 vo6199 > Using the MD5 algorithm to compute response. > Reminder: Don't use opiekey from telnet or dial-in sessions. > Enter secret pass phrase: > 0: OAK SEW CULT FALL AX WAND > 1: BOUT AID SOOT BUT SIT BILK > mx2# > > *** 3 *** pam_opie.so, the most interesting thing > > After successful login with 0 sequence number, trying to do it again > (sequence number has been decreased, right?) > > mx2# ssh ssa@192.168.90.250 > otp-md5 -1 (null) ext > Password: > > Is it impossible to calculate response to '-1' so trying to use any > password to skip pam_opie and login with next pam module. But here > login hangs and there is _no_way_ to login remotely because > pam_opie.so is the top line of pam.conf > > After about 1-2 minutes timeout it just says "Connection closed by 192.168.90.250" > > > *** 4 *** now just a question > > (In case of fix) After 0 or 1 seq. number it should recount from the > beginning, for example from 499, but I think that seed should be > automatically changed in that case for next 500 iterations otherwise > that is not one-time-passwords > > > > So... I think that is not good ... or am I mistaken? > > -- "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred." - The Mahabharata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FA69C50.9000602>