From owner-freebsd-current  Sun Jan 20 16:42: 5 2002
Delivered-To: freebsd-current@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id C06EE37B405
	for <current@FreeBSD.ORG>; Sun, 20 Jan 2002 16:42:01 -0800 (PST)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 94334533B; Mon, 21 Jan 2002 01:42:00 +0100 (CET)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Mark Murray <mark@grondar.za>, current@FreeBSD.ORG
Subject: Re: Step5, pam_opie OPIE auth fix for review
References: <20020120220254.GA25886@nagual.pp.ru>
	<200201202314.g0KNEDt34526@grimreaper.grondar.org>
	<20020120233050.GA26913@nagual.pp.ru>
	<xzpvgdw1sqp.fsf@flood.ping.uio.no>
	<20020121000446.GB27206@nagual.pp.ru>
	<xzpn0z81rrr.fsf@flood.ping.uio.no>
	<20020121002557.GB27831@nagual.pp.ru>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 21 Jan 2002 01:42:00 +0100
In-Reply-To: <20020121002557.GB27831@nagual.pp.ru>
Message-ID: <xzpelkk1qnb.fsf@flood.ping.uio.no>
Lines: 35
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

"Andrey A. Chernov" <ache@nagual.pp.ru> writes:
> On Mon, Jan 21, 2002 at 01:17:44 +0100, Dag-Erling Smorgrav wrote:
> > The current system, BTW, leaves the policy in the hands of the user,
> > as she can create or remove ~/.opie_always at will.  A security policy
> > which is based on letting the user decide what is sufficient
> > authentication and what is not is not a proper security policy.
> No, by creating ~/.opiealways user can only _increase_ its own security 
> level additionly to pre-setted by sysadmin for him, and can't _decrease_ 
> it.

The admin can't enforce "always OPIE" for a user, because the user can
always delete his ~/.opiealways.

> > Actually, that idea won't work, because PAM will ignore PAM_AUTH_ERR
> > from a "sufficient" module.  A "requisite" helper module, placed after
> > pam_opie, which fails if ~/.opie_always exists would do the trick, if
> > one really wanted this.
> ~/.opiealways checked only if opieaccess() found remote host in the 
> /etc/opieaccess table.

Oh.  I misunderstood the role of /etc/opieaccess in this.  This only
strengthens my opinion that this check should be in a separate module.
How about I write a pam_opieaccess(8) module and you tell me what you
think of it?  It's really the cleanest solution from PAM's point of
view.

> Yes, this check can be done as separate PAM module, but why two modules in 
> the same area instead of one?

Because they're different mechanisms that check different things, and
their success or failure have different meanings.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message