From owner-freebsd-security@FreeBSD.ORG Thu Jun 24 07:38:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E35F16A4CE for ; Thu, 24 Jun 2004 07:38:01 +0000 (GMT) Received: from postino-2.etat.lu (postino-2.etat.lu [194.154.205.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC96043D1D for ; Thu, 24 Jun 2004 07:38:00 +0000 (GMT) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by postino-2.etat.lu (Postfix) with ESMTP id 8885D4B8762 for ; Thu, 24 Jun 2004 09:37:46 +0200 (CEST) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by localhost (CIE ESMTP Dispatch 1) with ESMTP id 7C1504B5 for ; Thu, 24 Jun 2004 09:37:46 +0200 (CEST) Received: from hermes-1 (hermes-1.cie.etat.lu [148.110.136.56]) 6B3E34AC for ; Thu, 24 Jun 2004 09:37:46 +0200 (CEST) Received: from conversion-daemon.mail.etat.lu by mail.etat.lu (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) id <0HZS00C01X7X8X@mail.etat.lu> for freebsd-security@freebsd.org; Thu, 24 Jun 2004 09:37:46 +0200 (MEST) Received: from lucy ([148.110.43.189])18 2003)) freebsd-security@freebsd.org; Thu, 24 Jun 2004 09:37:40 +0200 (MEST) Date: Thu, 24 Jun 2004 09:37:39 +0200 From: Didier Wiroth To: freebsd-security@freebsd.org Message-id: <0HZS00158YISVY@mail.etat.lu> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: QUOTED-PRINTABLE Thread-index: AcRYdt7ErP+UB8M5Tpqf3TeN/e/46QBQor3wAAEgV2A= Subject: FW: Opieaccess file, is this normal? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 07:38:01 -0000 Hmm,=20 I thought using .opiealways would be the solution see: http://www.onlamp.com/pub/a/bsd/2003/02/20/FreeBSD_Basics.html Or http://people.freebsd.org/~des/diary/2002.html But I can still login with the standard password even if the opieacce= ss file is empty. -----Original Message----- =46rom: owner-freebsd-security@freebsd.org [mailto:owner-freebsd-security@freebsd.org] On Behalf Of Didier Wirot= h Sent: Thursday, June 24, 2004 09:06 To: freebsd-security@freebsd.org Subject: RE: Opieaccess file, is this normal? Hi, Here is the content of /etc/pamd/ssh, it's actually the default, I di= dn't change it. auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow= _local auth required pam_unix.so no_warn try_first_pass account required pam_unix.so session required pam_permit.so password required pam_unix.so no_warn try_first_pass =CE just want to point out the I want to keep "unix password authenti= cation" for the users whose host or network are in opieaccess. "Unix password authenication" should be disabled for all users present in opiekeys a= nd whose hosts or network is not present in opieaccess.