Date: Mon, 03 Nov 2003 10:20:00 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: Sergey Sysoev <lists@avtf.org> Cc: freebsd-questions@freebsd.org Subject: Re: opie bug or ..? Message-ID: <3FA69C50.9000602@tenebras.com> In-Reply-To: <16410385802.20031103113050@faeton1.ru> References: <16410385802.20031103113050@faeton1.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Forgive the top-post -- I have independently verified this,
suggest you open a PR. This is definitely a bug in opiepasswd.
It is also present in RELENG_4_8.
Regards, Michael
Sergey Sysoev wrote:
> Hi. I have a question related to freebsd opie implementation.
> I am running 4.9-RELEASE and I've tried to setup opie.
>
> *** 1 *** opiepasswd/opiekey
>
> I've added user using `opiepasswd -c "ssa"`
>
> mx2# opiepasswd -c "ssa"
> Adding ssa:
> Only use this method from the console; NEVER from remote. If you are using
> telnet, xterm, or a dial-in, type ^C now or exit with no password.
> Then run opiepasswd without the -c parameter.
> Using MD5 to compute responses.
> Enter new secret pass phrase:
> Again new secret pass phrase:
>
> ID ssa OTP key is 499 mx1759
> WADE IFFY LAWN MEAD DANG BUB
> mx2#
>
> And now I want to change it
>
> mx2# opiepasswd "ssa"
> Updating ssa:
> You need the response from an OTP generator.
> New secret pass phrase:
> otp-md5 499 mx17
> Response:
>
> You see that seed equal 'mx17', using opiekey:
>
> mx2# opiekey 499 mx17
> Using the MD5 algorithm to compute response.
> Seeds must be greater than 5 characters long.
> mx2#
>
> So it is not possible to update password in /etc/opiekey file, you
> have to edit it manually and that add password again via 'opiepasswd'.
>
>
>
> *** 2*** opiekey
>
> opiekey could not generate response for zero sequence number when it
> specified directly:
>
> mx2# opiekey -a 0 vo6199
> Using the MD5 algorithm to compute response.
> Sequence number 0 is not positive.
>
> but it works fine in case of:
>
> mx2# opiekey -n5 1 vo6199
> Using the MD5 algorithm to compute response.
> Reminder: Don't use opiekey from telnet or dial-in sessions.
> Enter secret pass phrase:
> 0: OAK SEW CULT FALL AX WAND
> 1: BOUT AID SOOT BUT SIT BILK
> mx2#
>
> *** 3 *** pam_opie.so, the most interesting thing
>
> After successful login with 0 sequence number, trying to do it again
> (sequence number has been decreased, right?)
>
> mx2# ssh ssa@192.168.90.250
> otp-md5 -1 (null) ext
> Password:
>
> Is it impossible to calculate response to '-1' so trying to use any
> password to skip pam_opie and login with next pam module. But here
> login hangs and there is _no_way_ to login remotely because
> pam_opie.so is the top line of pam.conf
>
> After about 1-2 minutes timeout it just says "Connection closed by 192.168.90.250"
>
>
> *** 4 *** now just a question
>
> (In case of fix) After 0 or 1 seq. number it should recount from the
> beginning, for example from 499, but I think that seed should be
> automatically changed in that case for next 500 iterations otherwise
> that is not one-time-passwords
>
>
>
> So... I think that is not good ... or am I mistaken?
>
>
--
"Well," Brahma said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent man requires only two thousand five hundred."
- The Mahabharata
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FA69C50.9000602>