Date: 21 Jan 2002 18:01:45 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: "Andrey A. Chernov" <ache@nagual.pp.ru> Cc: mark@grondar.za, current@FreeBSD.ORG Subject: Re: Step6, corresponding /etc/pam.d/* fixes for review Message-ID: <xzplmervds6.fsf@flood.ping.uio.no> In-Reply-To: <20020121162726.GH37234@nagual.pp.ru> References: <20020121142038.GA36519@nagual.pp.ru> <xzpsn8zwwey.fsf@flood.ping.uio.no> <20020121154244.GC37234@nagual.pp.ru> <xzpbsfnwvfz.fsf@flood.ping.uio.no> <20020121161534.GE37234@nagual.pp.ru> <xzpu1tfvfib.fsf@flood.ping.uio.no> <20020121162726.GH37234@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-=-=
"Andrey A. Chernov" <ache@nagual.pp.ru> writes:
> On Mon, Jan 21, 2002 at 17:24:28 +0100, Dag-Erling Smorgrav wrote:
> > - enable OPIE by default, with the no_fake_prompts option, leaving it
> > up to the admin to enable fake prompts if he so wishes
> I vote for this one.
I agree, for the reasons stated previously. Mark?
> > Please, I'm getting paid to do this :) Make yourself a cup of tea or
> > something and put your feet up on the desk for a couple of minutes.
> Ok, ok.
Here are the patches. Comments:
1) if pam_get_pass(), if the current token is non-null but empty,
ignore it. This allows a user to just press enter at an OPIE
prompt and still get a Unix prompt.
2) in pam_opie(8), clear the previous token before generating a
challenge, and ignore use_first_pass or try_first_pass instead of
returning PAM_AUTH_ERR if they are set.
3) in pam_opie(8), return PAM_AUTH_ERR if no_fake_prompts was
specified and the user hasn't set up OPIE.
4) in pam.d(5), enable OPIE by default (with the no_fake_prompts
option) in all policies, and use pam_opieaccess(8) to enforce
opieaccess and opiealways checks.
DES
--
Dag-Erling Smorgrav - des@ofug.org
--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=libpam.diff
Index: libpam/pam_get_pass.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/libpam/pam_get_pass.c,v
retrieving revision 1.3
diff -u -r1.3 pam_get_pass.c
--- libpam/pam_get_pass.c 30 Sep 2001 22:10:58 -0000 1.3
+++ libpam/pam_get_pass.c 21 Jan 2002 16:40:40 -0000
@@ -1,6 +1,13 @@
/*-
* Copyright 1998 Juniper Networks, Inc.
* All rights reserved.
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software was developed for the FreeBSD Project by
+ * ThinkSec AS and NAI Labs, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -10,6 +17,9 @@
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior written
+ * permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -78,6 +88,8 @@
retval = pam_get_item(pamh, PAM_AUTHTOK, &item);
if (retval != PAM_SUCCESS)
return retval;
+ if (item != NULL && *(const char *)item == '\0')
+ item = NULL;
}
if (item == NULL) {
Index: modules/pam_opie/pam_opie.8
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.8,v
retrieving revision 1.5
diff -u -r1.5 pam_opie.8
--- modules/pam_opie/pam_opie.8 21 Jan 2002 13:43:52 -0000 1.5
+++ modules/pam_opie/pam_opie.8 21 Jan 2002 17:00:51 -0000
@@ -8,7 +8,6 @@
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
.\" ("CBOSS"), as part of the DARPA CHATS research program.
.\"
-.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
@@ -94,7 +93,21 @@
where the user's ability to retype
their own password
might be deemed sufficient.
+.It Cm no_fake_prompts
+Do not generate fake challenges for users who do not have an OPIE key.
+Note that this can leak information to a hypothetical attacker about
+who uses OPIE and who doesn't, but it can be useful on systems where
+some users want to use OPIE but most don't.
.El
+.Pp
+Note that
+.Nm
+ignores the standard options
+.Cm try_first_pass
+and
+.Cm use_first_pass ,
+since a challenge must be generated before the user can submit a valid
+response.
.Sh FILES
.Bl -tag -width ".Pa /etc/opiekeys" -compact
.It Pa /etc/opiekeys
Index: modules/pam_opie/pam_opie.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v
retrieving revision 1.15
diff -u -r1.15 pam_opie.c
--- modules/pam_opie/pam_opie.c 20 Jan 2002 20:56:47 -0000 1.15
+++ modules/pam_opie/pam_opie.c 21 Jan 2002 16:34:09 -0000
@@ -4,6 +4,8 @@
* Based upon code Copyright 1998 Juniper Networks, Inc.
* Copyright (c) 2001 Networks Associates Technologies, Inc.
* All rights reserved.
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
@@ -53,10 +55,14 @@
#include <security/pam_modules.h>
#include "pam_mod_misc.h"
-enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX };
+enum {
+ PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
+ PAM_OPT_NO_FAKE_PROMPTS
+};
static struct opttab other_options[] = {
{ "auth_as_self", PAM_OPT_AUTH_AS_SELF },
+ { "no_fake_prompts", PAM_OPT_NO_FAKE_PROMPTS },
{ NULL, 0 }
};
@@ -78,15 +84,6 @@
PAM_LOG("Options processed");
- /*
- * It doesn't make sense to use a password that has already been
- * typed in, since we haven't presented the challenge to the user
- * yet.
- */
- if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) ||
- pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL))
- PAM_RETURN(PAM_AUTH_ERR);
-
user = NULL;
if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
if ((pwd = getpwnam(getlogin())) == NULL)
@@ -102,11 +99,28 @@
PAM_LOG("Got user: %s", user);
/*
+ * If the no_fake_prompts option was given, and the user
+ * doesn't have an OPIE key, just fail rather than present the
+ * user with a bogus OPIE challenge.
+ */
+ /* XXX generates a const warning because of incorrect prototype */
+ if (pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL))
+ if (opielookup(&opie, user) != 0)
+ PAM_RETURN(PAM_AUTH_ERR);
+
+ /*
* Don't call the OPIE atexit() handler when our program exits,
* since the module has been unloaded and we will SEGV.
*/
opiedisableaeh();
+ /*
+ * It doesn't make sense to use a password that has already been
+ * typed in, since we haven't presented the challenge to the user
+ * yet, so clear the stored password.
+ */
+ pam_set_item(pamh, PAM_AUTHTOK, NULL);
+
opiechallenge(&opie, (char *)user, challenge);
for (i = 0; i < 2; i++) {
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=pam_d.diff
Index: csshd
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/csshd,v
retrieving revision 1.2
diff -u -r1.2 csshd
--- csshd 5 Dec 2001 21:26:00 -0000 1.2
+++ csshd 21 Jan 2002 16:41:57 -0000
@@ -5,4 +5,5 @@
#
# auth
-auth required pam_opie.so no_warn
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn
Index: ftp
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/ftp,v
retrieving revision 1.2
diff -u -r1.2 ftp
--- ftp 5 Dec 2001 21:26:00 -0000 1.2
+++ ftp 21 Jan 2002 16:41:57 -0000
@@ -8,7 +8,8 @@
auth required pam_nologin.so no_warn
#auth sufficient pam_kerberosIV.so no_warn
#auth sufficient pam_krb5.so no_warn
-#auth required pam_opie.so no_warn
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn
#auth required pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass
Index: ftpd
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/ftpd,v
retrieving revision 1.12
diff -u -r1.12 ftpd
--- ftpd 19 Jan 2002 18:29:49 -0000 1.12
+++ ftpd 21 Jan 2002 16:41:57 -0000
@@ -9,10 +9,9 @@
#auth sufficient pam_kerberosIV.so no_warn
#auth sufficient pam_krb5.so no_warn
#auth sufficient pam_ssh.so no_warn try_first_pass
-# Uncomment either pam_opie or pam_unix, but not both of them.
-# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback
-auth required pam_opie.so no_warn
-#auth required pam_unix.so no_warn try_first_pass
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn
+auth required pam_unix.so no_warn try_first_pass
# account
#account required pam_kerberosIV.so
Index: imap
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/imap,v
retrieving revision 1.2
diff -u -r1.2 imap
--- imap 5 Dec 2001 21:26:00 -0000 1.2
+++ imap 21 Jan 2002 16:41:57 -0000
@@ -6,6 +6,7 @@
# auth
#auth required pam_nologin.so no_warn
-#auth required pam_opie.so no_warn
+#auth sufficient pam_opie.so no_warn no_fake_prompts
+#auth requisite pam_opieaccess.so no_warn
#auth required pam_ssh.so no_warn try_first_pass
#auth required pam_unix.so no_warn try_first_pass
Index: kde
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/kde,v
retrieving revision 1.2
diff -u -r1.2 kde
--- kde 5 Dec 2001 21:26:00 -0000 1.2
+++ kde 21 Jan 2002 16:41:57 -0000
@@ -6,7 +6,8 @@
# auth
auth required pam_nologin.so no_warn
-#auth sufficient pam_opie.so no_warn
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn
#auth sufficient pam_kerberosIV.so no_warn try_first_pass
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth required pam_ssh.so no_warn try_first_pass
Index: login
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/login,v
retrieving revision 1.5
diff -u -r1.5 login
--- login 19 Jan 2002 18:29:49 -0000 1.5
+++ login 21 Jan 2002 16:41:57 -0000
@@ -6,7 +6,8 @@
# auth
auth required pam_nologin.so no_warn
-#auth sufficient pam_opie.so no_warn
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn
#auth sufficient pam_kerberosIV.so no_warn try_first_pass
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth required pam_ssh.so no_warn try_first_pass
@@ -24,7 +25,6 @@
session required pam_unix.so
# password
-#password sufficient pam_opie.so no_warn
#password sufficient pam_kerberosIV.so no_warn try_first_pass
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Index: other
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/other,v
retrieving revision 1.2
diff -u -r1.2 other
--- other 5 Dec 2001 21:26:00 -0000 1.2
+++ other 21 Jan 2002 16:41:57 -0000
@@ -6,7 +6,8 @@
# auth
auth required pam_nologin.so no_warn
-#auth required pam_opie.so no_warn
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn
auth required pam_unix.so no_warn try_first_pass
# account
Index: pop3
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/pop3,v
retrieving revision 1.2
diff -u -r1.2 pop3
--- pop3 5 Dec 2001 21:26:00 -0000 1.2
+++ pop3 21 Jan 2002 16:41:57 -0000
@@ -6,6 +6,7 @@
# auth
#auth required pam_nologin.so no_warn
-#auth required pam_opie.so no_warn
+#auth sufficient pam_opie.so no_warn no_fake_prompts
+#auth requisite pam_opieaccess.so no_warn
#auth required pam_ssh.so no_warn try_first_pass
#auth required pam_unix.so no_warn try_first_pass
Index: su
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/su,v
retrieving revision 1.5
diff -u -r1.5 su
--- su 19 Jan 2002 18:29:49 -0000 1.5
+++ su 21 Jan 2002 16:41:57 -0000
@@ -9,33 +9,45 @@
auth requisite pam_wheel.so no_warn auth_as_self noroot_ok
#auth sufficient pam_kerberosIV.so no_warn
#auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self
-#auth required pam_opie.so no_warn
+auth sufficient pam_opie.so no_warn no_fake_prompts
+auth requisite pam_opieaccess.so no_warn
#auth required pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
-#auth sufficient pam_rootok.so no_warn
-##auth sufficient pam_kerberosIV.so no_warn
-##auth sufficient pam_krb5.so no_warn
-#auth required pam_opie.so no_warn auth_as_self
-#auth required pam_unix.so no_warn try_first_pass auth_as_self
# account
#account required pam_kerberosIV.so
#account required pam_krb5.so
account required pam_unix.so
-##account required pam_kerberosIV.so
-##account required pam_krb5.so
-#account required pam_unix.so
# session
#session required pam_kerberosIV.so
#session required pam_krb5.so
#session required pam_ssh.so
session required pam_unix.so
+
+# password
+password required pam_permit.so
+
+
+# If you want a "WHEELSU"-type su(1), then comment out the
+# above, and uncomment the entries below.
+## auth
+#auth sufficient pam_rootok.so no_warn
+##auth sufficient pam_kerberosIV.so no_warn
+##auth sufficient pam_krb5.so no_warn
+#auth required pam_opie.so no_warn auth_as_self no_fake_prompts
+#auth required pam_unix.so no_warn try_first_pass auth_as_self
+
+## account
+##account required pam_kerberosIV.so
+##account required pam_krb5.so
+#account required pam_unix.so
+
+## session
##session required pam_kerberosIV.so
##session required pam_krb5.so
##session required pam_ssh.so
#session required pam_unix.so
-# password
-password required pam_permit.so
+## password
#password required pam_permit.so
--=-=-=--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzplmervds6.fsf>