From owner-freebsd-security@FreeBSD.ORG  Tue Jun 22 16:34:28 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6ECF916A4CE
	for <freebsd-security@freebsd.org>;
	Tue, 22 Jun 2004 16:34:28 +0000 (GMT)
Received: from radix.cryptio.net (radix.cryptio.net [64.81.55.119])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3CB9C43D41
	for <freebsd-security@freebsd.org>;
	Tue, 22 Jun 2004 16:34:27 +0000 (GMT)
	(envelope-from emechler@radix.cryptio.net)
Received: from radix.cryptio.net (localhost [127.0.0.1])
	by radix.cryptio.net (8.12.10/8.12.10) with ESMTP id i5MGY7gV016899
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 22 Jun 2004 09:34:07 -0700 (PDT)
	(envelope-from emechler@radix.cryptio.net)
Received: (from emechler@localhost)
	by radix.cryptio.net (8.12.10/8.12.10/Submit) id i5MGY71Y016898;
	Tue, 22 Jun 2004 09:34:07 -0700 (PDT)
	(envelope-from emechler)
Date: Tue, 22 Jun 2004 09:34:07 -0700
From: Erick Mechler <emechler@techometer.net>
To: Didier Wiroth <didier.wiroth@mcesr.etat.lu>
Message-ID: <20040622163407.GQ75424@techometer.net>
References: <0HZP00GS3W981A@mail.etat.lu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0HZP00GS3W981A@mail.etat.lu>
User-Agent: Mutt/1.4.2.1i
cc: freebsd-security@freebsd.org
Subject: Re: Opieaccess file, is this normal?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Jun 2004 16:34:28 -0000

:: >From what I've read so far, if the user is present in opiekeys, the
:: opieaccess file determines if the user (coming from a specific host or
:: network) is allowed to use his unix password from this specific network. 
:: 
:: As my opieaccess file is empty and the default rule (as mentionned in the
:: man file) is deny, I should not be able to get an ssh shell with my standard
:: unix password.

OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication is set
to yes:

     ChallengeResponseAuthentication
             Specifies whether challenge-response authentication is allowed.
             Specifically, in FreeBSD, this controls the use of PAM (see
             pam(3)) for authentication.  Note that this affects the effec-
             tiveness of the PasswordAuthentication and PermitRootLogin vari-
             ables.  The default is ``yes''.

Does your /etc/pam.conf disble password authentication?

Cheers - Erick