From owner-freebsd-stable@FreeBSD.ORG Mon Nov 3 10:20:02 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D20E816A4CE for ; Mon, 3 Nov 2003 10:20:02 -0800 (PST) Received: from tenebras.com (dnscache.tenebras.com [66.92.188.165]) by mx1.FreeBSD.org (Postfix) with SMTP id B83D843FE5 for ; Mon, 3 Nov 2003 10:20:01 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 59359 invoked from network); 3 Nov 2003 18:20:01 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 3 Nov 2003 18:20:01 -0000 Message-ID: <3FA69C50.9000602@tenebras.com> Date: Mon, 03 Nov 2003 10:20:00 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.5) Gecko/20031007 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Sergey Sysoev References: <16410385802.20031103113050@faeton1.ru> In-Reply-To: <16410385802.20031103113050@faeton1.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-stable@freebsd.org cc: freebsd-questions@freebsd.org Subject: Re: opie bug or ..? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Nov 2003 18:20:03 -0000 Forgive the top-post -- I have independently verified this, suggest you open a PR. This is definitely a bug in opiepasswd. It is also present in RELENG_4_8. Regards, Michael Sergey Sysoev wrote: > Hi. I have a question related to freebsd opie implementation. > I am running 4.9-RELEASE and I've tried to setup opie. > > *** 1 *** opiepasswd/opiekey > > I've added user using `opiepasswd -c "ssa"` > > mx2# opiepasswd -c "ssa" > Adding ssa: > Only use this method from the console; NEVER from remote. If you are using > telnet, xterm, or a dial-in, type ^C now or exit with no password. > Then run opiepasswd without the -c parameter. > Using MD5 to compute responses. > Enter new secret pass phrase: > Again new secret pass phrase: > > ID ssa OTP key is 499 mx1759 > WADE IFFY LAWN MEAD DANG BUB > mx2# > > And now I want to change it > > mx2# opiepasswd "ssa" > Updating ssa: > You need the response from an OTP generator. > New secret pass phrase: > otp-md5 499 mx17 > Response: > > You see that seed equal 'mx17', using opiekey: > > mx2# opiekey 499 mx17 > Using the MD5 algorithm to compute response. > Seeds must be greater than 5 characters long. > mx2# > > So it is not possible to update password in /etc/opiekey file, you > have to edit it manually and that add password again via 'opiepasswd'. > > > > *** 2*** opiekey > > opiekey could not generate response for zero sequence number when it > specified directly: > > mx2# opiekey -a 0 vo6199 > Using the MD5 algorithm to compute response. > Sequence number 0 is not positive. > > but it works fine in case of: > > mx2# opiekey -n5 1 vo6199 > Using the MD5 algorithm to compute response. > Reminder: Don't use opiekey from telnet or dial-in sessions. > Enter secret pass phrase: > 0: OAK SEW CULT FALL AX WAND > 1: BOUT AID SOOT BUT SIT BILK > mx2# > > *** 3 *** pam_opie.so, the most interesting thing > > After successful login with 0 sequence number, trying to do it again > (sequence number has been decreased, right?) > > mx2# ssh ssa@192.168.90.250 > otp-md5 -1 (null) ext > Password: > > Is it impossible to calculate response to '-1' so trying to use any > password to skip pam_opie and login with next pam module. But here > login hangs and there is _no_way_ to login remotely because > pam_opie.so is the top line of pam.conf > > After about 1-2 minutes timeout it just says "Connection closed by 192.168.90.250" > > > *** 4 *** now just a question > > (In case of fix) After 0 or 1 seq. number it should recount from the > beginning, for example from 499, but I think that seed should be > automatically changed in that case for next 500 iterations otherwise > that is not one-time-passwords > > > > So... I think that is not good ... or am I mistaken? > > -- "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred." - The Mahabharata