Date: Wed, 10 Jul 2002 21:32:37 +0400 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG> Cc: Dag-Erling Smorgrav <des@ofug.org>, current@FreeBSD.ORG Subject: Re: Patch for review (was Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)) Message-ID: <20020710173236.GA32819@nagual.pp.ru> In-Reply-To: <15660.25284.36769.583960@horsey.gshapiro.net> References: <20020709232559.GA23499@nagual.pp.ru> <xzpd6tvj3h3.fsf@flood.ping.uio.no> <20020710115021.GA28478@nagual.pp.ru> <xzpznwzg4k0.fsf@flood.ping.uio.no> <20020710122357.GA29452@nagual.pp.ru> <xzpptxvg2h8.fsf@flood.ping.uio.no> <20020710132801.GA30351@nagual.pp.ru> <xzp8z4jg0vs.fsf@flood.ping.uio.no> <20020710152358.GA31729@nagual.pp.ru> <15660.25284.36769.583960@horsey.gshapiro.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 10, 2002 at 09:37:24 -0700, Gregory Neil Shapiro wrote: > The problem seems to be the addition of opieaccess to the PAM > configuration. Not to PAM, but more strictly, to PAMified sshd. Addition of it to other PAMified programs works as expected. > With that addition, in -CURRENT, unless a user creates > /etc/opieaccess and adds explicit "permit" lines, plain text passwords will > not be accepted if OPIE is in use at the site. If that file does not > exist, plain text passwords are explicitly denied. This breaks POLA. Yes. > However, if /usr/src/contrib/opie/libopie/accessfile.c is changed to accept > plain text passwords if the file does not exist (the normal case), then I > believe people will be happy. Alternatively, we need to start distributing > an /etc/opieaccess file that "permit"'s every connection by default. No. F.e. I have a rule in /etc/opieaccess which allow local plaintext passwords and disallow them for remote access. This is typical setup needed for most OPIE-aware programs. When pam_opie* added to sshd PasswordAuthenticate auth (by default), I can't login from remote, but still can from local. So, back to your proposal: 1) If /etc/opieaccess will not exists, other OPIE-aware programs will be broken (not tuned well for local/remote difference). 2) If /etc/opieaccess will have "permit" lines for all, other OPIE-aware programs will be broken (not tuned well for local/remote difference). BTW, changing documented OPIE way of things is not good from security reasons. 3) If /etc/opieaccess have correct "permit" line for local and not for remote, other OPIE-aware programs are happy, but sshd is broken (can't login from remote but can from local). So, your fix attempt really not fix things, only removing OPIE from PasswordAuthenticate fix them. OPIE not works with PasswordAuthenticate in any case, as DES himself confirms and what I say from the very beginning. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020710173236.GA32819>