From owner-freebsd-current Mon Jan 21 9: 2: 4 2002 Delivered-To: freebsd-current@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 5644037B404 for ; Mon, 21 Jan 2002 09:01:48 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id CBFAA532C; Mon, 21 Jan 2002 18:01:46 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Andrey A. Chernov" Cc: mark@grondar.za, current@FreeBSD.ORG Subject: Re: Step6, corresponding /etc/pam.d/* fixes for review References: <20020121142038.GA36519@nagual.pp.ru> <20020121154244.GC37234@nagual.pp.ru> <20020121161534.GE37234@nagual.pp.ru> <20020121162726.GH37234@nagual.pp.ru> From: Dag-Erling Smorgrav Date: 21 Jan 2002 18:01:45 +0100 In-Reply-To: <20020121162726.GH37234@nagual.pp.ru> Message-ID: Lines: 37 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-=-= "Andrey A. Chernov" writes: > On Mon, Jan 21, 2002 at 17:24:28 +0100, Dag-Erling Smorgrav wrote: > > - enable OPIE by default, with the no_fake_prompts option, leaving it > > up to the admin to enable fake prompts if he so wishes > I vote for this one. I agree, for the reasons stated previously. Mark? > > Please, I'm getting paid to do this :) Make yourself a cup of tea or > > something and put your feet up on the desk for a couple of minutes. > Ok, ok. Here are the patches. Comments: 1) if pam_get_pass(), if the current token is non-null but empty, ignore it. This allows a user to just press enter at an OPIE prompt and still get a Unix prompt. 2) in pam_opie(8), clear the previous token before generating a challenge, and ignore use_first_pass or try_first_pass instead of returning PAM_AUTH_ERR if they are set. 3) in pam_opie(8), return PAM_AUTH_ERR if no_fake_prompts was specified and the user hasn't set up OPIE. 4) in pam.d(5), enable OPIE by default (with the no_fake_prompts option) in all policies, and use pam_opieaccess(8) to enforce opieaccess and opiealways checks. DES -- Dag-Erling Smorgrav - des@ofug.org --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=libpam.diff Index: libpam/pam_get_pass.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/libpam/pam_get_pass.c,v retrieving revision 1.3 diff -u -r1.3 pam_get_pass.c --- libpam/pam_get_pass.c 30 Sep 2001 22:10:58 -0000 1.3 +++ libpam/pam_get_pass.c 21 Jan 2002 16:40:40 -0000 @@ -1,6 +1,13 @@ /*- * Copyright 1998 Juniper Networks, Inc. * All rights reserved. + * Copyright (c) 2002 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software was developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -78,6 +88,8 @@ retval = pam_get_item(pamh, PAM_AUTHTOK, &item); if (retval != PAM_SUCCESS) return retval; + if (item != NULL && *(const char *)item == '\0') + item = NULL; } if (item == NULL) { Index: modules/pam_opie/pam_opie.8 =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.8,v retrieving revision 1.5 diff -u -r1.5 pam_opie.8 --- modules/pam_opie/pam_opie.8 21 Jan 2002 13:43:52 -0000 1.5 +++ modules/pam_opie/pam_opie.8 21 Jan 2002 17:00:51 -0000 @@ -8,7 +8,6 @@ .\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 .\" ("CBOSS"), as part of the DARPA CHATS research program. .\" -.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -94,7 +93,21 @@ where the user's ability to retype their own password might be deemed sufficient. +.It Cm no_fake_prompts +Do not generate fake challenges for users who do not have an OPIE key. +Note that this can leak information to a hypothetical attacker about +who uses OPIE and who doesn't, but it can be useful on systems where +some users want to use OPIE but most don't. .El +.Pp +Note that +.Nm +ignores the standard options +.Cm try_first_pass +and +.Cm use_first_pass , +since a challenge must be generated before the user can submit a valid +response. .Sh FILES .Bl -tag -width ".Pa /etc/opiekeys" -compact .It Pa /etc/opiekeys Index: modules/pam_opie/pam_opie.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v retrieving revision 1.15 diff -u -r1.15 pam_opie.c --- modules/pam_opie/pam_opie.c 20 Jan 2002 20:56:47 -0000 1.15 +++ modules/pam_opie/pam_opie.c 21 Jan 2002 16:34:09 -0000 @@ -4,6 +4,8 @@ * Based upon code Copyright 1998 Juniper Networks, Inc. * Copyright (c) 2001 Networks Associates Technologies, Inc. * All rights reserved. + * Copyright (c) 2002 Networks Associates Technologies, Inc. + * All rights reserved. * * Portions of this software were developed for the FreeBSD Project by * ThinkSec AS and NAI Labs, the Security Research Division of Network @@ -53,10 +55,14 @@ #include #include "pam_mod_misc.h" -enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX }; +enum { + PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, + PAM_OPT_NO_FAKE_PROMPTS +}; static struct opttab other_options[] = { { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, + { "no_fake_prompts", PAM_OPT_NO_FAKE_PROMPTS }, { NULL, 0 } }; @@ -78,15 +84,6 @@ PAM_LOG("Options processed"); - /* - * It doesn't make sense to use a password that has already been - * typed in, since we haven't presented the challenge to the user - * yet. - */ - if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) || - pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL)) - PAM_RETURN(PAM_AUTH_ERR); - user = NULL; if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { if ((pwd = getpwnam(getlogin())) == NULL) @@ -102,11 +99,28 @@ PAM_LOG("Got user: %s", user); /* + * If the no_fake_prompts option was given, and the user + * doesn't have an OPIE key, just fail rather than present the + * user with a bogus OPIE challenge. + */ + /* XXX generates a const warning because of incorrect prototype */ + if (pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL)) + if (opielookup(&opie, user) != 0) + PAM_RETURN(PAM_AUTH_ERR); + + /* * Don't call the OPIE atexit() handler when our program exits, * since the module has been unloaded and we will SEGV. */ opiedisableaeh(); + /* + * It doesn't make sense to use a password that has already been + * typed in, since we haven't presented the challenge to the user + * yet, so clear the stored password. + */ + pam_set_item(pamh, PAM_AUTHTOK, NULL); + opiechallenge(&opie, (char *)user, challenge); for (i = 0; i < 2; i++) { snprintf(prompt, sizeof prompt, promptstr[i], challenge); --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=pam_d.diff Index: csshd =================================================================== RCS file: /home/ncvs/src/etc/pam.d/csshd,v retrieving revision 1.2 diff -u -r1.2 csshd --- csshd 5 Dec 2001 21:26:00 -0000 1.2 +++ csshd 21 Jan 2002 16:41:57 -0000 @@ -5,4 +5,5 @@ # # auth -auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn Index: ftp =================================================================== RCS file: /home/ncvs/src/etc/pam.d/ftp,v retrieving revision 1.2 diff -u -r1.2 ftp --- ftp 5 Dec 2001 21:26:00 -0000 1.2 +++ ftp 21 Jan 2002 16:41:57 -0000 @@ -8,7 +8,8 @@ auth required pam_nologin.so no_warn #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass Index: ftpd =================================================================== RCS file: /home/ncvs/src/etc/pam.d/ftpd,v retrieving revision 1.12 diff -u -r1.12 ftpd --- ftpd 19 Jan 2002 18:29:49 -0000 1.12 +++ ftpd 21 Jan 2002 16:41:57 -0000 @@ -9,10 +9,9 @@ #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn #auth sufficient pam_ssh.so no_warn try_first_pass -# Uncomment either pam_opie or pam_unix, but not both of them. -# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback -auth required pam_opie.so no_warn -#auth required pam_unix.so no_warn try_first_pass +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn +auth required pam_unix.so no_warn try_first_pass # account #account required pam_kerberosIV.so Index: imap =================================================================== RCS file: /home/ncvs/src/etc/pam.d/imap,v retrieving revision 1.2 diff -u -r1.2 imap --- imap 5 Dec 2001 21:26:00 -0000 1.2 +++ imap 21 Jan 2002 16:41:57 -0000 @@ -6,6 +6,7 @@ # auth #auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn no_fake_prompts +#auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass Index: kde =================================================================== RCS file: /home/ncvs/src/etc/pam.d/kde,v retrieving revision 1.2 diff -u -r1.2 kde --- kde 5 Dec 2001 21:26:00 -0000 1.2 +++ kde 21 Jan 2002 16:41:57 -0000 @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth sufficient pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth required pam_ssh.so no_warn try_first_pass Index: login =================================================================== RCS file: /home/ncvs/src/etc/pam.d/login,v retrieving revision 1.5 diff -u -r1.5 login --- login 19 Jan 2002 18:29:49 -0000 1.5 +++ login 21 Jan 2002 16:41:57 -0000 @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth sufficient pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth required pam_ssh.so no_warn try_first_pass @@ -24,7 +25,6 @@ session required pam_unix.so # password -#password sufficient pam_opie.so no_warn #password sufficient pam_kerberosIV.so no_warn try_first_pass #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass Index: other =================================================================== RCS file: /home/ncvs/src/etc/pam.d/other,v retrieving revision 1.2 diff -u -r1.2 other --- other 5 Dec 2001 21:26:00 -0000 1.2 +++ other 21 Jan 2002 16:41:57 -0000 @@ -6,7 +6,8 @@ # auth auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn auth required pam_unix.so no_warn try_first_pass # account Index: pop3 =================================================================== RCS file: /home/ncvs/src/etc/pam.d/pop3,v retrieving revision 1.2 diff -u -r1.2 pop3 --- pop3 5 Dec 2001 21:26:00 -0000 1.2 +++ pop3 21 Jan 2002 16:41:57 -0000 @@ -6,6 +6,7 @@ # auth #auth required pam_nologin.so no_warn -#auth required pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn no_fake_prompts +#auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass Index: su =================================================================== RCS file: /home/ncvs/src/etc/pam.d/su,v retrieving revision 1.5 diff -u -r1.5 su --- su 19 Jan 2002 18:29:49 -0000 1.5 +++ su 21 Jan 2002 16:41:57 -0000 @@ -9,33 +9,45 @@ auth requisite pam_wheel.so no_warn auth_as_self noroot_ok #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self -#auth required pam_opie.so no_warn +auth sufficient pam_opie.so no_warn no_fake_prompts +auth requisite pam_opieaccess.so no_warn #auth required pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass nullok -#auth sufficient pam_rootok.so no_warn -##auth sufficient pam_kerberosIV.so no_warn -##auth sufficient pam_krb5.so no_warn -#auth required pam_opie.so no_warn auth_as_self -#auth required pam_unix.so no_warn try_first_pass auth_as_self # account #account required pam_kerberosIV.so #account required pam_krb5.so account required pam_unix.so -##account required pam_kerberosIV.so -##account required pam_krb5.so -#account required pam_unix.so # session #session required pam_kerberosIV.so #session required pam_krb5.so #session required pam_ssh.so session required pam_unix.so + +# password +password required pam_permit.so + + +# If you want a "WHEELSU"-type su(1), then comment out the +# above, and uncomment the entries below. +## auth +#auth sufficient pam_rootok.so no_warn +##auth sufficient pam_kerberosIV.so no_warn +##auth sufficient pam_krb5.so no_warn +#auth required pam_opie.so no_warn auth_as_self no_fake_prompts +#auth required pam_unix.so no_warn try_first_pass auth_as_self + +## account +##account required pam_kerberosIV.so +##account required pam_krb5.so +#account required pam_unix.so + +## session ##session required pam_kerberosIV.so ##session required pam_krb5.so ##session required pam_ssh.so #session required pam_unix.so -# password -password required pam_permit.so +## password #password required pam_permit.so --=-=-=-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message