Date: Wed, 09 Mar 2011 14:51:50 +0000 From: Miguel Lopes Santos Ramos <mbox@miguel.ramos.name> To: freebsd-security@freebsd.org Subject: It's not possible to allow non-OPIE logins only from trusted networks Message-ID: <1299682310.17149.24.camel@w500.local>
next in thread | raw e-mail | index | archive | help
Hi, This is about pam_opieaccess. Because there's no project page for OPIE outside FreeBSD and because I found other complaints on pam_opieaccess on this list (http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0118.html)= , I'm posting this here, I hope it's OK. For a few years now, I have used this policy for SSH logins, and home and at work: - users can login with passwords if they are on a trusted (read: local) network - users can always login with public key authentication from anywhere - users can only login from outside trusted networks if they use either public key authentication or OPIE. This is almost easy. Each user enables OPIE, and an /etc/opieaccess file allows password logins from trusted networks, with something like: permit 10.0.0.0 255.0.0.0 However, one thing about pam_opieaccess makes having this policy troublesome. pam_opieaccess(5) says that it returns PAM_SUCCESS in two cases: 1. The user does not have OPIE enabled. 2. The user has OPIE enabled and the remote host is listed as a trusted host in /etc/opieaccess, and the user does not have a file named .opiealways in his home directory. Now, things work according to the SPEC, that's good, but point 1 above is troublesome for my policy. Users is an open set: every now and then a new one is created. Because every user must be explicitely mentioned in /etc/opiekeys, it's error prone for my policy. If I create a user and forget to add him to /etc/opiekeys I have a breach in my policy. If additionally he chooses a weak or a strong but compromised password, I have a security breach. I think the way pam_opieaccess behaves is like "leave a security breach by default". I think it would be more usefull if it returned PAM_SUCCESS when: 1. The user does not have OPIE enabled and the remote host is listed as a trusted host in /etc/opieaccess. 2. The user has OPIE enabled and the remote host is listed as a trusted host in /etc/opieaccess, and the user does not have a file named .opiealways in his home directory. Or at least this should be an option for pam_opieaccess. I understand opieaccess is a transition mechanism (transition to a time where everyone uses OPIE, yeah right), and it is meant so that users who can't use OPIE don't stop those that can from using it. However, I think a greater incentive for using OPIE (with my policy) is "do you want to connect from the Internet like I do? You must use OPIE for that." Now, I'm a programmer, not so much an admin. I'm perfectly capable of making a new pam_opieaccess module that does what I said or a simpler module which just returns PAM_SUCCESS for trusted networks (that's all that matters to my policy). The point is, wouldn't the other behaviour be better for pam_opieaccess? Also, why don't people bump on this more often? Is my policy inadvisable? --=20 Miguel Ramos <mbox@miguel.ramos.name> PGP A006A14C
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1299682310.17149.24.camel>