Date: Fri, 27 Jun 2003 16:48:41 +0200 From: Brendan Bank <brendan@gnarst.net> To: freebsd-security@freebsd.org Subject: Problems with the pam_opieaccess PAM module Message-ID: <200306271448.h5REmfOc054525@banzai.gnarst.net>
next in thread | raw e-mail | index | archive | help
Hi,
I've configured opie (one time passwords) under FreeBSD and I came
across the following problem.
It looks like libpam does not stop the authentication process when
a 'requisite' module fails. I find this strange as the pam 'requisite'
is defined in the man pages as: requisite - failure of such a PAM
results in the immediate termination of the authentication process;
Here is what I did.
I've setup opie for my account. I've configured pam_opieaccess
(/etc/opieaccess) to allow my home network to use static passwords:
permit 10.0.0.0 255.255.255.0
And in /etc/pam.conf I added:
sshd auth required pam_opie.so
sshd auth requisite pam_opieaccess.so
sshd auth required /usr/lib/pam_krb5.so.1 try_first_pass forwardable
The module pam_opieaccess is supposed to send a PAM_SUCCESS under
the following conditions:
<from the man page of pam_opieaccess>
1. The user does not have OPIE enabled
2. The user has OPIE enabled, and the remote host is listed as a
trusted host in /etc/opieaccess, and the user does not have a file
named opiealways in his home directory.
</from the man page of pam_opieaccess>
I read this as: If pam_opieaccess fails it returns PAM_AUTH_ERR and
the authentication process should stop.
However when it impent this sshd or the pam library does not take
the PAM_AUTH_ERR and stop the authentication process but it just
continues to with the pam_krb5 module. (btw I typed the wrong pw
in the example bellow).
eunoc25:[~] % ssh banzai
otp-md5 442 ba4387 ext
Password:
pam_opieaccess: pam_sm_authenticate: Refused; remote host is not in opieaccess
Last login: Fri Jun 27 16:26:41 2003 from eunoc25
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 4.8-STABLE (BANZAI) #0: Thu Jun 5 23:39:01 CEST 2003
The 'pam_opieaccess: pam_sm_authenticate: Refused; remote host is
not in opieaccess' indicates that the pam module failed. But it did
let me log in. (brrrr)
src/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c
...
PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");
return (PAM_AUTH_ERR);
...
I'm not sure if this is a bug but the results may be very dangerous.
It looks like libpam does not stop the authentication process when
a 'requisite' module fails. I'm running 4.8-STABLE.
Regards,
- Brendan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200306271448.h5REmfOc054525>