From owner-freebsd-security@FreeBSD.ORG Fri Jun 27 07:48:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6569C37B401 for ; Fri, 27 Jun 2003 07:48:46 -0700 (PDT) Received: from banzai.gnarst.net (banzai.gnarst.net [193.79.248.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id D413043F93 for ; Fri, 27 Jun 2003 07:48:44 -0700 (PDT) (envelope-from brendan@gnarst.net) Received: from localhost (localhost [127.0.0.1])h5REmh7m054532 for ; Fri, 27 Jun 2003 16:48:43 +0200 (CEST) (envelope-from brendan@gnarst.net) Received: from gnarst.net (localhost [127.0.0.1])h5REmfOc054525 for ; Fri, 27 Jun 2003 16:48:42 +0200 (CEST) (envelope-from brendan@gnarst.net) Message-Id: <200306271448.h5REmfOc054525@banzai.gnarst.net> From: Brendan Bank To: freebsd-security@freebsd.org Date: Fri, 27 Jun 2003 16:48:41 +0200 Sender: brendan@gnarst.net X-Virus-Scanned: by amavisd-new at gnarst.net Subject: Problems with the pam_opieaccess PAM module X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jun 2003 14:48:46 -0000 Hi, I've configured opie (one time passwords) under FreeBSD and I came across the following problem. It looks like libpam does not stop the authentication process when a 'requisite' module fails. I find this strange as the pam 'requisite' is defined in the man pages as: requisite - failure of such a PAM results in the immediate termination of the authentication process; Here is what I did. I've setup opie for my account. I've configured pam_opieaccess (/etc/opieaccess) to allow my home network to use static passwords: permit 10.0.0.0 255.255.255.0 And in /etc/pam.conf I added: sshd auth required pam_opie.so sshd auth requisite pam_opieaccess.so sshd auth required /usr/lib/pam_krb5.so.1 try_first_pass forwardable The module pam_opieaccess is supposed to send a PAM_SUCCESS under the following conditions: 1. The user does not have OPIE enabled 2. The user has OPIE enabled, and the remote host is listed as a trusted host in /etc/opieaccess, and the user does not have a file named opiealways in his home directory. I read this as: If pam_opieaccess fails it returns PAM_AUTH_ERR and the authentication process should stop. However when it impent this sshd or the pam library does not take the PAM_AUTH_ERR and stop the authentication process but it just continues to with the pam_krb5 module. (btw I typed the wrong pw in the example bellow). eunoc25:[~] % ssh banzai otp-md5 442 ba4387 ext Password: pam_opieaccess: pam_sm_authenticate: Refused; remote host is not in opieaccess Last login: Fri Jun 27 16:26:41 2003 from eunoc25 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-STABLE (BANZAI) #0: Thu Jun 5 23:39:01 CEST 2003 The 'pam_opieaccess: pam_sm_authenticate: Refused; remote host is not in opieaccess' indicates that the pam module failed. But it did let me log in. (brrrr) src/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c ... PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess"); return (PAM_AUTH_ERR); ... I'm not sure if this is a bug but the results may be very dangerous. It looks like libpam does not stop the authentication process when a 'requisite' module fails. I'm running 4.8-STABLE. Regards, - Brendan