Date: Thu, 02 Oct 2003 12:25:41 -0700 From: "Eugene M. Kim" <ab@astralblue.net> To: hackers@freebsd.org Subject: pam_opieaccess.so and opiepasswd -d Message-ID: <3F7C7BB5.9040402@astralblue.net>
next in thread | raw e-mail | index | archive | help
Greetings, pam_opieaccess.so is documented to allow cleartext password (by returning PAM_SUCCESS) when OPIE is disabled for the user. However, on both -current and 4-stable, pam_opieaccess.so checks whether OPIE is enabled only by checking the existence of the user's record from /etc/opiekeys. Since a valid /etc/opiekeys record can also indicate that the OPIE access is disabled (i.e. one runs opiepasswd -d to set the value field to `****************'), I guess the module should check this as well. Currently this check is not performed, so when one has pam_opie.so plus pam_opieaccess.so combination, users with explicitly disabled OPIE record and a cleartext password won't be able to log in even when /etc/opieaccess allows cleartext password logins. Is the current behavior an intended feature, or should it be fixed (the patch would be trivial)? Eugene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F7C7BB5.9040402>