Date: Tue, 22 Jun 2004 17:55:55 +0200 From: Didier Wiroth <didier.wiroth@mcesr.etat.lu> To: freebsd-security@freebsd.org Subject: Opieaccess file, is this normal? Message-ID: <0HZP00GS3W981A@mail.etat.lu>
next in thread | raw e-mail | index | archive | help
Hi, I'm trying to setup one-time passwords on freebsd5.2.1 >From what I've read so far, if the user is present in opiekeys, the opieaccess file determines if the user (coming from a specific host or network) is allowed to use his unix password from this specific network. As my opieaccess file is empty and the default rule (as mentionned in the man file) is deny, I should not be able to get an ssh shell with my standard unix password. I've made a test on test machine running ssh (version sshd version OpenSSH_3.6.1p1 FreeBSD-20030924). The opiekey contains one user, me actually. The opieaccess file is empty so (by default) unix password should not be allowed when connecting through ssh. I enter a few times "enter" and sshd switches to the next authentication method "password". Now I can enter my standard password and I'm logged in, even if I should only be allowed to use the opie passwords. Why? Isn't this a bug? Here is the ssh -v output: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/didier/.ssh/identity debug1: Trying private key: /home/didier/.ssh/id_rsa debug1: Trying private key: /home/didier/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive otp-md5 300 pw9999 ext Password: otp-md5 300 pw9999 ext Password [echo on]: debug1: Authentications that can continue: publickey,password,keyboard-interactive otp-md5 300 pw9999 ext Password: debug1: Authentications that can continue: publickey,password,keyboard-interactive otp-md5 300 pw9999 ext Password: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password didier@localhost's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: channel 0: request pty-req debug1: channel 0: request shell debug1: channel 0: open confirm rwindow 0 rmax 32768 Thanks a lot
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0HZP00GS3W981A>