From owner-freebsd-hackers@FreeBSD.ORG  Thu Oct  2 12:26:10 2003
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9A6C816A4B3
	for <hackers@freebsd.org>; Thu,  2 Oct 2003 12:26:10 -0700 (PDT)
Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10])
	by mx1.FreeBSD.org (Postfix) with ESMTP id BA67E43F93
	for <hackers@freebsd.org>; Thu,  2 Oct 2003 12:26:09 -0700 (PDT)
	(envelope-from ab@astralblue.net)
Received: from astralblue.net (dhcp245.nttmcl.com [216.69.69.245])
	by alicia.nttmcl.com (8.12.9/8.12.5) with ESMTP id h92JQ9HB047114
	for <hackers@freebsd.org>; Thu, 2 Oct 2003 12:26:09 -0700 (PDT)
	(envelope-from ab@astralblue.net)
Message-ID: <3F7C7BB5.9040402@astralblue.net>
Date: Thu, 02 Oct 2003 12:25:41 -0700
From: "Eugene M. Kim" <ab@astralblue.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.5) Gecko/20030925
X-Accept-Language: en-us, en, ko-kr, ko
MIME-Version: 1.0
To: hackers@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: pam_opieaccess.so and opiepasswd -d
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Oct 2003 19:26:10 -0000

Greetings,

pam_opieaccess.so is documented to allow cleartext password (by 
returning PAM_SUCCESS) when OPIE is disabled for the user.

However, on both -current and 4-stable, pam_opieaccess.so checks whether 
OPIE is enabled only by checking the existence of the user's record from 
/etc/opiekeys.  Since a valid /etc/opiekeys record can also indicate 
that the OPIE access is disabled (i.e. one runs opiepasswd -d to set the 
value field to `****************'), I guess the module should check this 
as well.

Currently this check is not performed, so when one has pam_opie.so plus 
pam_opieaccess.so combination, users with explicitly disabled OPIE 
record and a cleartext password won't be able to log in even when 
/etc/opieaccess allows cleartext password logins.

Is the current behavior an intended feature, or should it be fixed (the 
patch would be trivial)?

Eugene