From owner-freebsd-security@FreeBSD.ORG Wed Mar 9 14:52:14 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0F6B106564A for ; Wed, 9 Mar 2011 14:52:14 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id A30248FC14 for ; Wed, 9 Mar 2011 14:52:14 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 0B4E5594007 for ; Wed, 9 Mar 2011 06:52:05 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA for ; Wed, 9 Mar 2011 06:52:04 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p29Eppm5017394 for ; Wed, 9 Mar 2011 14:51:51 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p29EpoNZ017393 for freebsd-security@freebsd.org; Wed, 9 Mar 2011 14:51:50 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Wed, 09 Mar 2011 14:51:50 +0000 Message-ID: <1299682310.17149.24.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID 3341.4d779414.65aed.0 Subject: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Mar 2011 14:52:15 -0000 Hi, This is about pam_opieaccess. Because there's no project page for OPIE outside FreeBSD and because I found other complaints on pam_opieaccess on this list (http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0118.html)= , I'm posting this here, I hope it's OK. For a few years now, I have used this policy for SSH logins, and home and at work: - users can login with passwords if they are on a trusted (read: local) network - users can always login with public key authentication from anywhere - users can only login from outside trusted networks if they use either public key authentication or OPIE. This is almost easy. Each user enables OPIE, and an /etc/opieaccess file allows password logins from trusted networks, with something like: permit 10.0.0.0 255.0.0.0 However, one thing about pam_opieaccess makes having this policy troublesome. pam_opieaccess(5) says that it returns PAM_SUCCESS in two cases: 1. The user does not have OPIE enabled. 2. The user has OPIE enabled and the remote host is listed as a trusted host in /etc/opieaccess, and the user does not have a file named .opiealways in his home directory. Now, things work according to the SPEC, that's good, but point 1 above is troublesome for my policy. Users is an open set: every now and then a new one is created. Because every user must be explicitely mentioned in /etc/opiekeys, it's error prone for my policy. If I create a user and forget to add him to /etc/opiekeys I have a breach in my policy. If additionally he chooses a weak or a strong but compromised password, I have a security breach. I think the way pam_opieaccess behaves is like "leave a security breach by default". I think it would be more usefull if it returned PAM_SUCCESS when: 1. The user does not have OPIE enabled and the remote host is listed as a trusted host in /etc/opieaccess. 2. The user has OPIE enabled and the remote host is listed as a trusted host in /etc/opieaccess, and the user does not have a file named .opiealways in his home directory. Or at least this should be an option for pam_opieaccess. I understand opieaccess is a transition mechanism (transition to a time where everyone uses OPIE, yeah right), and it is meant so that users who can't use OPIE don't stop those that can from using it. However, I think a greater incentive for using OPIE (with my policy) is "do you want to connect from the Internet like I do? You must use OPIE for that." Now, I'm a programmer, not so much an admin. I'm perfectly capable of making a new pam_opieaccess module that does what I said or a simpler module which just returns PAM_SUCCESS for trusted networks (that's all that matters to my policy). The point is, wouldn't the other behaviour be better for pam_opieaccess? Also, why don't people bump on this more often? Is my policy inadvisable? --=20 Miguel Ramos PGP A006A14C