From owner-freebsd-current  Sun Jan 20 16:26: 9 2002
Delivered-To: freebsd-current@freebsd.org
Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42])
	by hub.freebsd.org (Postfix) with ESMTP id 6D87D37B404
	for <current@FreeBSD.ORG>; Sun, 20 Jan 2002 16:26:06 -0800 (PST)
Received: (from ache@localhost)
	by nagual.pp.ru (8.11.6/8.11.6) id g0L0Q0U27952;
	Mon, 21 Jan 2002 03:26:01 +0300 (MSK)
	(envelope-from ache)
Date: Mon, 21 Jan 2002 03:25:58 +0300
From: "Andrey A. Chernov" <ache@nagual.pp.ru>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: Mark Murray <mark@grondar.za>, current@FreeBSD.ORG
Subject: Re: Step5, pam_opie OPIE auth fix for review
Message-ID: <20020121002557.GB27831@nagual.pp.ru>
References: <20020120220254.GA25886@nagual.pp.ru> <200201202314.g0KNEDt34526@grimreaper.grondar.org> <20020120233050.GA26913@nagual.pp.ru> <xzpvgdw1sqp.fsf@flood.ping.uio.no> <20020121000446.GB27206@nagual.pp.ru> <xzpn0z81rrr.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <xzpn0z81rrr.fsf@flood.ping.uio.no>
User-Agent: Mutt/1.3.24i
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

On Mon, Jan 21, 2002 at 01:17:44 +0100, Dag-Erling Smorgrav wrote:
> 
> That's what PAM is for.  If fixed (not necessary plaintext!) passwords
> are allowed, the admin will mark pam_opie as "sufficient" and place
> pam_unix below it; if they're not, he'll just remove pam_unix.

It not allows flexible configuration because it is not depends on remote 
host for example. I.e. for some host pam_unix can be chained, but for some 
another - not.

> The current system, BTW, leaves the policy in the hands of the user,
> as she can create or remove ~/.opie_always at will.  A security policy
> which is based on letting the user decide what is sufficient
> authentication and what is not is not a proper security policy.

No, by creating ~/.opiealways user can only _increase_ its own security 
level additionly to pre-setted by sysadmin for him, and can't _decrease_ 
it.

> Actually, that idea won't work, because PAM will ignore PAM_AUTH_ERR
> from a "sufficient" module.  A "requisite" helper module, placed after
> pam_opie, which fails if ~/.opie_always exists would do the trick, if
> one really wanted this.

~/.opiealways checked only if opieaccess() found remote host in the 
/etc/opieaccess table.

Yes, this check can be done as separate PAM module, but why two modules in 
the same area instead of one?

-- 
Andrey A. Chernov
http://ache.pp.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message