Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 24 Jun 2004 09:05:37 +0200
From:      Didier Wiroth <didier.wiroth@mcesr.etat.lu>
To:        freebsd-security@freebsd.org
Subject:   RE: Opieaccess file, is this normal?
Message-ID:  <0HZS001C8X1DVY@mail.etat.lu>
In-Reply-To: <20040622163407.GQ75424@techometer.net>
index | next in thread | previous in thread | raw e-mail 

Hi,

Here is the content of /etc/pamd/ssh, it's actually the default, I didn't
change it.

auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            required        pam_unix.so             no_warn
try_first_pass
account         required        pam_unix.so
session         required        pam_permit.so
password        required        pam_unix.so             no_warn
try_first_pass

Î just want to point out the I want to keep "unix password authentication"
for the users whose host or network are in opieaccess. "Unix password
authenication" should be disabled for all users present in opiekeys and
whose hosts or network is not present in opieaccess.

-----Original Message-----
From: owner-freebsd-security@freebsd.org
[mailto:owner-freebsd-security@freebsd.org] On Behalf Of Erick Mechler
Sent: Tuesday, June 22, 2004 18:34
To: Didier Wiroth
Cc: freebsd-security@freebsd.org
Subject: Re: Opieaccess file, is this normal?

:: >From what I've read so far, if the user is present in opiekeys, the
:: opieaccess file determines if the user (coming from a specific host or
:: network) is allowed to use his unix password from this specific network. 
:: 
:: As my opieaccess file is empty and the default rule (as mentionned in the
:: man file) is deny, I should not be able to get an ssh shell with my
standard
:: unix password.

OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication is set
to yes:

     ChallengeResponseAuthentication
             Specifies whether challenge-response authentication is allowed.
             Specifically, in FreeBSD, this controls the use of PAM (see
             pam(3)) for authentication.  Note that this affects the effec-
             tiveness of the PasswordAuthentication and PermitRootLogin
vari-
             ables.  The default is ``yes''.

Does your /etc/pam.conf disble password authentication?

Cheers - Erick
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0HZS001C8X1DVY>