Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 Jun 2004 09:05:37 +0200
From:      Didier Wiroth <didier.wiroth@mcesr.etat.lu>
To:        freebsd-security@freebsd.org
Subject:   RE: Opieaccess file, is this normal?
Message-ID:  <0HZS001C8X1DVY@mail.etat.lu>
In-Reply-To: <20040622163407.GQ75424@techometer.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

Here is the content of /etc/pamd/ssh, it's actually the default, I di=
dn't
change it.

auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow=
_local
auth            required        pam_unix.so             no_warn
try_first_pass
account         required        pam_unix.so
session         required        pam_permit.so
password        required        pam_unix.so             no_warn
try_first_pass

=CE just want to point out the I want to keep "unix password authenti=
cation"
for the users whose host or network are in opieaccess. "Unix password
authenication" should be disabled for all users present in opiekeys a=
nd
whose hosts or network is not present in opieaccess.

-----Original Message-----
=46rom: owner-freebsd-security@freebsd.org
[mailto:owner-freebsd-security@freebsd.org] On Behalf Of Erick Mechle=
r
Sent: Tuesday, June 22, 2004 18:34
To: Didier Wiroth
Cc: freebsd-security@freebsd.org
Subject: Re: Opieaccess file, is this normal?

:: >From what I've read so far, if the user is present in opiekeys, t=
he
:: opieaccess file determines if the user (coming from a specific hos=
t or
:: network) is allowed to use his unix password from this specific ne=
twork.=20
::=20
:: As my opieaccess file is empty and the default rule (as mentionned=
 in the
:: man file) is deny, I should not be able to get an ssh shell with m=
y
standard
:: unix password.

OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication =
is set
to yes:

     ChallengeResponseAuthentication
             Specifies whether challenge-response authentication is a=
llowed.
             Specifically, in FreeBSD, this controls the use of PAM (=
see
             pam(3)) for authentication.  Note that this affects the =
effec-
             tiveness of the PasswordAuthentication and PermitRootLog=
in
vari-
             ables.  The default is ``yes''.

Does your /etc/pam.conf disble password authentication?

Cheers - Erick
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebs=
d.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0HZS001C8X1DVY>