From owner-freebsd-security@FreeBSD.ORG Thu Jun 24 07:05:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BDF416A4CE for ; Thu, 24 Jun 2004 07:05:50 +0000 (GMT) Received: from postino-2.etat.lu (postino-2.etat.lu [194.154.205.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9753B43D1F for ; Thu, 24 Jun 2004 07:05:49 +0000 (GMT) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by postino-2.etat.lu (Postfix) with ESMTP id 8EAFE4B82C9 for ; Thu, 24 Jun 2004 09:05:46 +0200 (CEST) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by localhost (CIE ESMTP Dispatch 1) with ESMTP id 80F98402 for ; Thu, 24 Jun 2004 09:05:46 +0200 (CEST) Received: from hermes-1 (hermes-1.cie.etat.lu [148.110.136.56]) 6659A3F4 for ; Thu, 24 Jun 2004 09:05:46 +0200 (CEST) Received: from conversion-daemon.mail.etat.lu by mail.etat.lu (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) id <0HZS00M01W8V0U@mail.etat.lu> for freebsd-security@freebsd.org; Thu, 24 Jun 2004 09:05:46 +0200 (MEST) Received: from lucy ([148.110.43.189])18 2003)) freebsd-security@freebsd.org; Thu, 24 Jun 2004 09:05:37 +0200 (MEST) Date: Thu, 24 Jun 2004 09:05:37 +0200 From: Didier Wiroth In-reply-to: <20040622163407.GQ75424@techometer.net> To: freebsd-security@freebsd.org Message-id: <0HZS001C8X1DVY@mail.etat.lu> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: QUOTED-PRINTABLE Thread-index: AcRYdt7ErP+UB8M5Tpqf3TeN/e/46QBQor3w Subject: RE: Opieaccess file, is this normal? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 07:05:50 -0000 Hi, Here is the content of /etc/pamd/ssh, it's actually the default, I di= dn't change it. auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow= _local auth required pam_unix.so no_warn try_first_pass account required pam_unix.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass =CE just want to point out the I want to keep "unix password authenti= cation" for the users whose host or network are in opieaccess. "Unix password authenication" should be disabled for all users present in opiekeys a= nd whose hosts or network is not present in opieaccess. -----Original Message----- =46rom: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Erick Mechle= r Sent: Tuesday, June 22, 2004 18:34 To: Didier Wiroth Cc: freebsd-security@freebsd.org Subject: Re: Opieaccess file, is this normal? :: >From what I've read so far, if the user is present in opiekeys, t= he :: opieaccess file determines if the user (coming from a specific hos= t or :: network) is allowed to use his unix password from this specific ne= twork.=20 ::=20 :: As my opieaccess file is empty and the default rule (as mentionned= in the :: man file) is deny, I should not be able to get an ssh shell with m= y standard :: unix password. OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication = is set to yes: ChallengeResponseAuthentication Specifies whether challenge-response authentication is a= llowed. Specifically, in FreeBSD, this controls the use of PAM (= see pam(3)) for authentication. Note that this affects the = effec- tiveness of the PasswordAuthentication and PermitRootLog= in vari- ables. The default is ``yes''. Does your /etc/pam.conf disble password authentication? Cheers - Erick _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebs= d.org"