From owner-cvs-all Sat Jan 19 10:59:20 2002 Delivered-To: cvs-all@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id BA98237B405; Sat, 19 Jan 2002 10:59:15 -0800 (PST) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id g0JIx9912996; Sat, 19 Jan 2002 21:59:09 +0300 (MSK) (envelope-from ache) Date: Sat, 19 Jan 2002 21:59:07 +0300 From: "Andrey A. Chernov" To: Mark Murray Cc: Dag-Erling Smorgrav , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: How OPIE works or explanations from google Message-ID: <20020119185905.GD12683@nagual.pp.ru> References: <20020119182627.GN11604@nagual.pp.ru> <200201191838.g0JIcct23386@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200201191838.g0JIcct23386@grimreaper.grondar.org> User-Agent: Mutt/1.3.24i Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG How unhacked non-PAM standalone OPIE works: 1) If OPIE user exists, its remote host checked against /etc/opieaccess via opieaccessfile() 2) If remote host is found there, user home dir checked for opiealways file. 3) If no such file, it is assumed than OPIE user MAY authenticate with plaintext password additionly to OPIE exchange. In all other cases OPIE user is not able to authenticate with plaintext (Unix) password. How hacked PAM OPIE recently working: OPIE user can ALWAYS authenticate with plaintext (Unix) password. This is security lowering. I fix this. WHAT IS UNCLEAR? -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message