Date: Thu, 24 Jun 2004 09:05:37 +0200 From: Didier Wiroth <didier.wiroth@mcesr.etat.lu> To: freebsd-security@freebsd.org Subject: RE: Opieaccess file, is this normal? Message-ID: <0HZS001C8X1DVY@mail.etat.lu> In-Reply-To: <20040622163407.GQ75424@techometer.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, Here is the content of /etc/pamd/ssh, it's actually the default, I di= dn't change it. auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow= _local auth required pam_unix.so no_warn try_first_pass account required pam_unix.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass =CE just want to point out the I want to keep "unix password authenti= cation" for the users whose host or network are in opieaccess. "Unix password authenication" should be disabled for all users present in opiekeys a= nd whose hosts or network is not present in opieaccess. -----Original Message----- =46rom: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Erick Mechle= r Sent: Tuesday, June 22, 2004 18:34 To: Didier Wiroth Cc: freebsd-security@freebsd.org Subject: Re: Opieaccess file, is this normal? :: >From what I've read so far, if the user is present in opiekeys, t= he :: opieaccess file determines if the user (coming from a specific hos= t or :: network) is allowed to use his unix password from this specific ne= twork.=20 ::=20 :: As my opieaccess file is empty and the default rule (as mentionned= in the :: man file) is deny, I should not be able to get an ssh shell with m= y standard :: unix password. OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication = is set to yes: ChallengeResponseAuthentication Specifies whether challenge-response authentication is a= llowed. Specifically, in FreeBSD, this controls the use of PAM (= see pam(3)) for authentication. Note that this affects the = effec- tiveness of the PasswordAuthentication and PermitRootLog= in vari- ables. The default is ``yes''. Does your /etc/pam.conf disble password authentication? Cheers - Erick _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebs= d.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0HZS001C8X1DVY>