Date: Thu, 10 Mar 2011 02:23:29 -0500 From: "J. Hellenthal" <jhell@DataIX.net> To: Miguel Lopes Santos Ramos <mbox@miguel.ramos.name> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks Message-ID: <alpine.BSF.2.00.1103100147350.1891@qvfongpu.qngnvk.ybpny> In-Reply-To: <1299682310.17149.24.camel@w500.local> References: <1299682310.17149.24.camel@w500.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 9 Mar 2011 09:51, mbox@ wrote: > > I think the way pam_opieaccess behaves is like "leave a security breach > by default". I think it would be more usefull if it returned PAM_SUCCESS > when: > > 1. The user does not have OPIE enabled and the remote host is listed as > a trusted host in /etc/opieaccess. > 2. The user has OPIE enabled and the remote host is listed as a trusted > host in /etc/opieaccess, and the user does not have a file > named .opiealways in his home directory. > > Or at least this should be an option for pam_opieaccess. > Does changing the following in /etc/pam.d/sshd help ? # auth (edited for length) -auth sufficient pam_opie.so no_warn no_fake_prompts +auth binding pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local There might be some other combinations that would change this behavior for you but you will have to consult with pam.conf(5) as this is a pretty big beast to sum up here. Tweaking PAM in some situations could lead you to undesired results. Putting something into place of a script that runs out of /etc/profile or /etc/shrc or whatever that greps the contents of /etc/opiekeys and prompts the user to run the correct commands or runs them the first time might just be a better long-term solution to enforcing they use OPIE. /etc/profile grep "^${LOGNAME} " /etc/opiekeys ||/usr/bin/opiepasswd -c ... Anyway I'm sure some other shell-masters@ will chime in at some point and possibly share what they have done in the past/present/future and offer up some real good insight on this. VPN access to the box(s) could be another solution where everyone is local and you don't need OPIE at all. \o/ -- Regards, J. Hellenthal (0x89D8547E) JJH48-ARIN
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1103100147350.1891>