From owner-freebsd-current  Mon Jan 21  7:34:13 2002
Delivered-To: freebsd-current@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP id 0977537B404
	for <current@FreeBSD.ORG>; Mon, 21 Jan 2002 07:33:59 -0800 (PST)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id D2558532C; Mon, 21 Jan 2002 16:33:57 +0100 (CET)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: mark@grondar.za, current@FreeBSD.ORG
Subject: Re: Step6, corresponding /etc/pam.d/* fixes for review
References: <20020121142038.GA36519@nagual.pp.ru>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 21 Jan 2002 16:33:57 +0100
In-Reply-To: <20020121142038.GA36519@nagual.pp.ru>
Message-ID: <xzpsn8zwwey.fsf@flood.ping.uio.no>
Lines: 21
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

--=-=-=

"Andrey A. Chernov" <ache@nagual.pp.ru> writes:
> This fixes reflects pam_opieaccess addition. 

OK, comments:

1) there's no reason to have pam_opie commented out now, it won't do
   anything unless OPIE is enabled for the target user.  With my
   patch, any user can use OPIE by simply running opiekey(1), without
   admin intervention.

2) there are several other PAM config files that refer to pam_opie and
   need fixing.

Patch attached.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org


--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment; filename=pam_d.diff

Index: csshd
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/csshd,v
retrieving revision 1.2
diff -u -r1.2 csshd
--- csshd	5 Dec 2001 21:26:00 -0000	1.2
+++ csshd	21 Jan 2002 13:55:24 -0000
@@ -5,4 +5,5 @@
 #
 
 # auth
-auth		required	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn
+auth		requisite	pam_opieaccess.so	no_warn
Index: ftp
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/ftp,v
retrieving revision 1.2
diff -u -r1.2 ftp
--- ftp	5 Dec 2001 21:26:00 -0000	1.2
+++ ftp	21 Jan 2002 14:05:45 -0000
@@ -8,7 +8,8 @@
 auth		required	pam_nologin.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn
-#auth		required	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn
+auth		requisite	pam_opieaccess.so	no_warn
 #auth		required	pam_ssh.so	no_warn try_first_pass
 auth		required	pam_unix.so	no_warn try_first_pass
 
Index: ftpd
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/ftpd,v
retrieving revision 1.12
diff -u -r1.12 ftpd
--- ftpd	19 Jan 2002 18:29:49 -0000	1.12
+++ ftpd	21 Jan 2002 14:05:17 -0000
@@ -9,10 +9,9 @@
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn
 #auth           sufficient      pam_ssh.so      no_warn try_first_pass
-# Uncomment either pam_opie or pam_unix, but not both of them.
-# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback
-auth		required	pam_opie.so	no_warn
-#auth		required	pam_unix.so	no_warn try_first_pass
+auth		sufficient	pam_opie.so	no_warn
+auth		requisite	pam_opieaccess.so	no_warn
+auth		required	pam_unix.so	no_warn try_first_pass
 
 # account
 #account	required	pam_kerberosIV.so
Index: imap
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/imap,v
retrieving revision 1.2
diff -u -r1.2 imap
--- imap	5 Dec 2001 21:26:00 -0000	1.2
+++ imap	21 Jan 2002 14:04:44 -0000
@@ -6,6 +6,7 @@
 
 # auth
 #auth		required	pam_nologin.so	no_warn
-#auth		required	pam_opie.so	no_warn
+#auth		sufficient	pam_opie.so	no_warn
+#auth		requisite	pam_opieaccess.so	no_warn
 #auth		required	pam_ssh.so	no_warn try_first_pass
 #auth		required	pam_unix.so	no_warn try_first_pass
Index: kde
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/kde,v
retrieving revision 1.2
diff -u -r1.2 kde
--- kde	5 Dec 2001 21:26:00 -0000	1.2
+++ kde	21 Jan 2002 14:04:21 -0000
@@ -6,7 +6,8 @@
 
 # auth
 auth		required	pam_nologin.so	no_warn
-#auth		sufficient	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn
+auth		requisite	pam_opieaccess.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass
 #auth		required	pam_ssh.so	no_warn try_first_pass
Index: login
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/login,v
retrieving revision 1.5
diff -u -r1.5 login
--- login	19 Jan 2002 18:29:49 -0000	1.5
+++ login	21 Jan 2002 15:14:37 -0000
@@ -6,7 +6,8 @@
 
 # auth
 auth		required	pam_nologin.so	no_warn
-#auth		sufficient	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn
+auth		requisite	pam_opieaccess.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass
 #auth		required	pam_ssh.so	no_warn try_first_pass
@@ -24,7 +25,6 @@
 session		required	pam_unix.so
 
 # password
-#password	sufficient	pam_opie.so	no_warn
 #password	sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #password	sufficient	pam_krb5.so	no_warn try_first_pass
 password	required	pam_unix.so	no_warn try_first_pass
Index: other
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/other,v
retrieving revision 1.2
diff -u -r1.2 other
--- other	5 Dec 2001 21:26:00 -0000	1.2
+++ other	21 Jan 2002 14:03:48 -0000
@@ -6,7 +6,8 @@
 
 # auth
 auth		required	pam_nologin.so	no_warn
-#auth		required	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn
+auth		requisite	pam_opieaccess.so	no_warn
 auth		required	pam_unix.so	no_warn try_first_pass
 
 # account
Index: pop3
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/pop3,v
retrieving revision 1.2
diff -u -r1.2 pop3
--- pop3	5 Dec 2001 21:26:00 -0000	1.2
+++ pop3	21 Jan 2002 14:03:22 -0000
@@ -6,6 +6,7 @@
 
 # auth
 #auth		required	pam_nologin.so	no_warn
-#auth		required	pam_opie.so	no_warn
+#auth		sufficient	pam_opie.so	no_warn
+#auth		requisite	pam_opieaccess.so	no_warn
 #auth		required	pam_ssh.so	no_warn try_first_pass
 #auth		required	pam_unix.so	no_warn try_first_pass
Index: su
===================================================================
RCS file: /home/ncvs/src/etc/pam.d/su,v
retrieving revision 1.5
diff -u -r1.5 su
--- su	19 Jan 2002 18:29:49 -0000	1.5
+++ su	21 Jan 2002 14:00:52 -0000
@@ -12,30 +12,41 @@
 #auth		required	pam_opie.so	no_warn
 #auth		required	pam_ssh.so	no_warn try_first_pass
 auth		required	pam_unix.so	no_warn try_first_pass nullok
-#auth		sufficient	pam_rootok.so	no_warn
-##auth		sufficient	pam_kerberosIV.so	no_warn
-##auth		sufficient	pam_krb5.so	no_warn
-#auth		required	pam_opie.so	no_warn auth_as_self
-#auth		required	pam_unix.so	no_warn try_first_pass auth_as_self
 
 # account
 #account	required	pam_kerberosIV.so
 #account	required	pam_krb5.so
 account		required	pam_unix.so
-##account	required	pam_kerberosIV.so
-##account	required	pam_krb5.so
-#account	required	pam_unix.so
 
 # session
 #session	required	pam_kerberosIV.so
 #session	required	pam_krb5.so
 #session	required	pam_ssh.so
 session		required	pam_unix.so
+
+# password
+password	required	pam_permit.so
+
+
+# If you want a "WHEELSU"-type su(1), then comment out the
+# above, and uncomment the entries below.
+## auth
+#auth		sufficient	pam_rootok.so	no_warn
+##auth		sufficient	pam_kerberosIV.so	no_warn
+##auth		sufficient	pam_krb5.so	no_warn
+#auth		required	pam_opie.so	no_warn auth_as_self
+#auth		required	pam_unix.so	no_warn try_first_pass auth_as_self
+
+## account
+##account	required	pam_kerberosIV.so
+##account	required	pam_krb5.so
+#account	required	pam_unix.so
+
+## session
 ##session	required	pam_kerberosIV.so
 ##session	required	pam_krb5.so
 ##session	required	pam_ssh.so
 #session	required	pam_unix.so
 
-# password
-password	required	pam_permit.so
+## password
 #password	required	pam_permit.so

--=-=-=--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message