From owner-freebsd-security@FreeBSD.ORG Thu Jun 24 13:59:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E05E916A4CE for ; Thu, 24 Jun 2004 13:59:21 +0000 (GMT) Received: from meestal.stack.nl (meestal.stack.nl [131.155.140.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DFB143D49 for ; Thu, 24 Jun 2004 13:59:21 +0000 (GMT) (envelope-from jilles@stack.nl) Received: from mailhost.stack.nl (vaak.stack.nl [IPv6:2001:610:1108:5010:248:54ff:fe6b:2cec]) by meestal.stack.nl (Postfix) with ESMTP id 40DADDCF#24BBCFDA for ; Thu, 24 Jun 2004 15:57:35 +0200 (CEST) Received: from turtle.stack.nl (turtle.stack.nl [IPv6:2001:610:1108:5010::132]) by mailhost.stack.nl (Postfix) with ESMTP id 80A621F001; Thu, 24 Jun 2004 15:57:48 +0200 (CEST) Received: by turtle.stack.nl (Postfix, from userid 1677) id 566581CDEA; Thu, 24 Jun 2004 15:57:48 +0200 (CEST) Date: Thu, 24 Jun 2004 15:57:48 +0200 From: Jilles Tjoelker To: Didier Wiroth Message-ID: <20040624135747.GA12527@stack.nl> References: <0HZP00GS3W981A@mail.etat.lu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <0HZP00GS3W981A@mail.etat.lu> X-Operating-System: FreeBSD 5.2.1-RELEASE-p8 i386 User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Opieaccess file, is this normal? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Jun 2004 13:59:22 -0000 On Tue, Jun 22, 2004 at 05:55:55PM +0200, Didier Wiroth wrote: > I'm trying to setup one-time passwords on freebsd5.2.1 > >From what I've read so far, if the user is present in opiekeys, the > opieaccess file determines if the user (coming from a specific host or > network) is allowed to use his unix password from this specific network. > As my opieaccess file is empty and the default rule (as mentionned in the > man file) is deny, I should not be able to get an ssh shell with my standard > unix password. > I've made a test on test machine running ssh (version sshd version > OpenSSH_3.6.1p1 FreeBSD-20030924). > The opiekey contains one user, me actually. > The opieaccess file is empty so (by default) unix password should not be > allowed when connecting through ssh. > I enter a few times "enter" and sshd switches to the next authentication > method "password". > Now I can enter my standard password and I'm logged in, even if I should > only be allowed to use the opie passwords. > Why? Isn't this a bug? > > Here is the ssh -v output: > [snip] > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Next authentication method: publickey > debug1: Trying private key: /home/didier/.ssh/identity > debug1: Trying private key: /home/didier/.ssh/id_rsa > debug1: Trying private key: /home/didier/.ssh/id_dsa > debug1: Next authentication method: keyboard-interactive > otp-md5 300 pw9999 ext > Password: > otp-md5 300 pw9999 ext > Password [echo on]: > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > otp-md5 300 pw9999 ext > Password: > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > otp-md5 300 pw9999 ext > Password: > debug1: Authentications that can continue: > publickey,password,keyboard-interactive > debug1: Next authentication method: password > didier@localhost's password: > debug1: Authentication succeeded (password). [snip] Use PasswordAuthentication no in /etc/ssh/sshd_config. The PasswordAuthentication doesn't obey many PAM restrictions. ChallengeResponseAuthentication yes gives the "Password:" prompt and will allow unix passwords if permitted. For this reason, PasswordAuthentication no has become the default in -CURRENT. -- Jilles Tjoelker