Date: Thu, 30 Nov 2000 22:22:48 -0800 (PST) From: Bill Fenner <fenner@research.att.com> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/23203: opie doesn't know that ssh connections are secure and you can't tell it Message-ID: <200012010622.eB16MmO99953@fenestro.attlabs.att.com>
next in thread | raw e-mail | index | archive | help
>Number: 23203 >Category: bin >Synopsis: opie doesn't know that ssh connections are secure and you can't tell it >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 30 22:30:02 PST 2000 >Closed-Date: >Last-Modified: >Originator: Bill Fenner >Release: FreeBSD 4.2-BETA i386 >Organization: AT&T Labs - Research >Environment: opie openssh (parts of base system) >Description: The opie commands opiekey (otp-md4 otp-md5) and opiepasswd refuse to accept a secret pass phrase if they think they're not being run from a secure terminal. There is a command-line option to override this check, but it is not compiled in by default on FreeBSD. This is one of these stupid well-intentioned things that just ends up getting in the way. A desperate user will avoid this whole situation by being even less secure by using e.g. "echo mypassphrase | env DISPLAY=:0 otp-md5 ..." >How-To-Repeat: ssh freefall.freebsd.org otp-md5 1 nanny >Fix: Stupid, less secure workaround: echo "mypassphrase" | env DISPLAY=:0 otp-md5 seq seed Fix: enable the -f flag for opiekey and opiepasswd by adding the proper defines to the Makefiles for opiekey and opiepasswd, and fixing the buggy opiekey. Index: Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/opiekey/Makefile,v retrieving revision 1.4.2.1 diff -u -r1.4.2.1 Makefile --- Makefile 2000/05/14 21:15:05 1.4.2.1 +++ Makefile 2000/12/01 05:51:26 @@ -6,7 +6,7 @@ SRCS= opiekey.c MAN1= opiekey.1 -CFLAGS+= -I${OPIE_DIST} +CFLAGS+= -I${OPIE_DIST} -DINSECURE_OVERRIDE DPADD= ${LIBOPIE} ${LIBMD} LDADD= -lopie -lmd Index: Makefile =================================================================== RCS file: /home/ncvs/src/usr.bin/opiepasswd/Makefile,v retrieving revision 1.4 diff -u -r1.4 Makefile --- Makefile 1999/08/28 01:04:47 1.4 +++ Makefile 2000/12/01 05:51:40 @@ -6,7 +6,7 @@ SRCS= opiepasswd.c MAN1= opiepasswd.1 -CFLAGS+=-I${OPIE_DIST} +CFLAGS+=-I${OPIE_DIST} -DINSECURE_OVERRIDE DPADD= ${LIBOPIE} ${LIBMD} LDADD= -lopie -lmd Index: opiekey.c =================================================================== RCS file: /home/ncvs/src/contrib/opie/opiekey.c,v retrieving revision 1.1.1.2.6.1 diff -u -r1.1.1.2.6.1 opiekey.c --- opiekey.c 2000/06/09 07:14:56 1.1.1.2.6.1 +++ opiekey.c 2000/12/01 05:53:59 @@ -138,7 +138,7 @@ char *slash; int hex = 0; int type = RESPONSE_STANDARD; - int force; + int force = 0; if (slash = strchr(argv[0], '/')) slash++; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012010622.eB16MmO99953>