Date: Thu, 30 Nov 2000 22:22:48 -0800 (PST) From: Bill Fenner <fenner@research.att.com> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/23203: opie doesn't know that ssh connections are secure and you can't tell it Message-ID: <200012010622.eB16MmO99953@fenestro.attlabs.att.com>
next in thread | raw e-mail | index | archive | help
>Number: 23203
>Category: bin
>Synopsis: opie doesn't know that ssh connections are secure and you can't tell it
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 30 22:30:02 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Bill Fenner
>Release: FreeBSD 4.2-BETA i386
>Organization:
AT&T Labs - Research
>Environment:
opie
openssh
(parts of base system)
>Description:
The opie commands opiekey (otp-md4 otp-md5) and opiepasswd refuse
to accept a secret pass phrase if they think they're not being run
from a secure terminal. There is a command-line option to override
this check, but it is not compiled in by default on FreeBSD. This
is one of these stupid well-intentioned things that just ends up
getting in the way. A desperate user will avoid this whole situation
by being even less secure by using e.g.
"echo mypassphrase | env DISPLAY=:0 otp-md5 ..."
>How-To-Repeat:
ssh freefall.freebsd.org
otp-md5 1 nanny
>Fix:
Stupid, less secure workaround:
echo "mypassphrase" | env DISPLAY=:0 otp-md5 seq seed
Fix: enable the -f flag for opiekey and opiepasswd by adding the
proper defines to the Makefiles for opiekey and opiepasswd, and
fixing the buggy opiekey.
Index: Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/opiekey/Makefile,v
retrieving revision 1.4.2.1
diff -u -r1.4.2.1 Makefile
--- Makefile 2000/05/14 21:15:05 1.4.2.1
+++ Makefile 2000/12/01 05:51:26
@@ -6,7 +6,7 @@
SRCS= opiekey.c
MAN1= opiekey.1
-CFLAGS+= -I${OPIE_DIST}
+CFLAGS+= -I${OPIE_DIST} -DINSECURE_OVERRIDE
DPADD= ${LIBOPIE} ${LIBMD}
LDADD= -lopie -lmd
Index: Makefile
===================================================================
RCS file: /home/ncvs/src/usr.bin/opiepasswd/Makefile,v
retrieving revision 1.4
diff -u -r1.4 Makefile
--- Makefile 1999/08/28 01:04:47 1.4
+++ Makefile 2000/12/01 05:51:40
@@ -6,7 +6,7 @@
SRCS= opiepasswd.c
MAN1= opiepasswd.1
-CFLAGS+=-I${OPIE_DIST}
+CFLAGS+=-I${OPIE_DIST} -DINSECURE_OVERRIDE
DPADD= ${LIBOPIE} ${LIBMD}
LDADD= -lopie -lmd
Index: opiekey.c
===================================================================
RCS file: /home/ncvs/src/contrib/opie/opiekey.c,v
retrieving revision 1.1.1.2.6.1
diff -u -r1.1.1.2.6.1 opiekey.c
--- opiekey.c 2000/06/09 07:14:56 1.1.1.2.6.1
+++ opiekey.c 2000/12/01 05:53:59
@@ -138,7 +138,7 @@
char *slash;
int hex = 0;
int type = RESPONSE_STANDARD;
- int force;
+ int force = 0;
if (slash = strchr(argv[0], '/'))
slash++;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012010622.eB16MmO99953>