From owner-freebsd-stable@FreeBSD.ORG Sun Nov 2 21:32:27 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFD8E16A4CF for ; Sun, 2 Nov 2003 21:32:27 -0800 (PST) Received: from faeton1.ru (relay.faeton1.ru [217.18.136.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id 877A743FE5 for ; Sun, 2 Nov 2003 21:32:24 -0800 (PST) (envelope-from lists@avtf.org) Received: from faeton1.ru (localhost.faeton1.ru [127.0.0.1]) hA35X6WE008195 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 3 Nov 2003 11:33:06 +0600 (OMST) Received: (from root@localhost) by relay.faeton1.ru (8.12.9-20030924/8.12.9/Submit) id hA35X6BT008194 for freebsd-stable@freebsd.org.KAV; Mon, 3 Nov 2003 11:33:06 +0600 (OMST) Received: from 217.18.136.232 (ptr-232.faeton1.ru [217.18.136.232] (may be forged)) (authenticated bits=0)hA35X5WE008186 (version=TLSv1/SSLv3 cipher=DES-CBC3-SHA bits=168 verify=NO); Mon, 3 Nov 2003 11:33:06 +0600 (OMST) Date: Mon, 3 Nov 2003 11:30:50 +0600 From: Sergey Sysoev X-Mailer: The Bat! (v1.62r) X-Priority: 3 (Normal) Message-ID: <16410385802.20031103113050@faeton1.ru> To: freebsd-stable@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: opie bug or ..? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Sergey Sysoev List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2003 05:32:27 -0000 Hi. I have a question related to freebsd opie implementation. I am running 4.9-RELEASE and I've tried to setup opie. *** 1 *** opiepasswd/opiekey I've added user using `opiepasswd -c "ssa"` mx2# opiepasswd -c "ssa" Adding ssa: Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter new secret pass phrase: Again new secret pass phrase: ID ssa OTP key is 499 mx1759 WADE IFFY LAWN MEAD DANG BUB mx2# And now I want to change it mx2# opiepasswd "ssa" Updating ssa: You need the response from an OTP generator. New secret pass phrase: otp-md5 499 mx17 Response: You see that seed equal 'mx17', using opiekey: mx2# opiekey 499 mx17 Using the MD5 algorithm to compute response. Seeds must be greater than 5 characters long. mx2# So it is not possible to update password in /etc/opiekey file, you have to edit it manually and that add password again via 'opiepasswd'. *** 2*** opiekey opiekey could not generate response for zero sequence number when it specified directly: mx2# opiekey -a 0 vo6199 Using the MD5 algorithm to compute response. Sequence number 0 is not positive. but it works fine in case of: mx2# opiekey -n5 1 vo6199 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: 0: OAK SEW CULT FALL AX WAND 1: BOUT AID SOOT BUT SIT BILK mx2# *** 3 *** pam_opie.so, the most interesting thing After successful login with 0 sequence number, trying to do it again (sequence number has been decreased, right?) mx2# ssh ssa@192.168.90.250 otp-md5 -1 (null) ext Password: Is it impossible to calculate response to '-1' so trying to use any password to skip pam_opie and login with next pam module. But here login hangs and there is _no_way_ to login remotely because pam_opie.so is the top line of pam.conf After about 1-2 minutes timeout it just says "Connection closed by 192.168.90.250" *** 4 *** now just a question (In case of fix) After 0 or 1 seq. number it should recount from the beginning, for example from 499, but I think that seed should be automatically changed in that case for next 500 iterations otherwise that is not one-time-passwords So... I think that is not good ... or am I mistaken? -- Best regards, Sergey