From owner-freebsd-security@FreeBSD.ORG Tue Jun 22 15:56:21 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAFAD16A4CE for ; Tue, 22 Jun 2004 15:56:21 +0000 (GMT) Received: from postino-1.etat.lu (postino-1.etat.lu [194.154.205.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D28B43D45 for ; Tue, 22 Jun 2004 15:56:21 +0000 (GMT) (envelope-from didier.wiroth@mcesr.etat.lu) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by postino-1.etat.lu (Postfix) with ESMTP id B92CB88DD8E for ; Tue, 22 Jun 2004 17:55:56 +0200 (CEST) Received: from avirus-1.cie.etat.lu (dispatch-1.cie.etat.lu [148.110.137.6]) by localhost (CIE ESMTP Dispatch 1) with ESMTP id C3D463A2 for ; Tue, 22 Jun 2004 17:55:56 +0200 (CEST) Received: from hermes-1 (hermes-1.cie.etat.lu [148.110.136.56]) B245539D for ; Tue, 22 Jun 2004 17:55:56 +0200 (CEST) Received: from conversion-daemon.mail.etat.lu by mail.etat.lu (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) id <0HZP00001W50BE@mail.etat.lu> for freebsd-security@freebsd.org; Tue, 22 Jun 2004 17:55:56 +0200 (MEST) Received: from lucy ([148.110.43.189])18 2003)) freebsd-security@freebsd.org; Tue, 22 Jun 2004 17:55:56 +0200 (MEST) Date: Tue, 22 Jun 2004 17:55:55 +0200 From: Didier Wiroth To: freebsd-security@freebsd.org Message-id: <0HZP00GS3W981A@mail.etat.lu> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 X-Mailer: Microsoft Office Outlook, Build 11.0.5510 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Thread-index: AcRYcWa1iYeESOXER82YX53uuYfoAQ== Subject: Opieaccess file, is this normal? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jun 2004 15:56:21 -0000 Hi, I'm trying to setup one-time passwords on freebsd5.2.1 >From what I've read so far, if the user is present in opiekeys, the opieaccess file determines if the user (coming from a specific host or network) is allowed to use his unix password from this specific network. As my opieaccess file is empty and the default rule (as mentionned in the man file) is deny, I should not be able to get an ssh shell with my standard unix password. I've made a test on test machine running ssh (version sshd version OpenSSH_3.6.1p1 FreeBSD-20030924). The opiekey contains one user, me actually. The opieaccess file is empty so (by default) unix password should not be allowed when connecting through ssh. I enter a few times "enter" and sshd switches to the next authentication method "password". Now I can enter my standard password and I'm logged in, even if I should only be allowed to use the opie passwords. Why? Isn't this a bug? Here is the ssh -v output: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Trying private key: /home/didier/.ssh/identity debug1: Trying private key: /home/didier/.ssh/id_rsa debug1: Trying private key: /home/didier/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive otp-md5 300 pw9999 ext Password: otp-md5 300 pw9999 ext Password [echo on]: debug1: Authentications that can continue: publickey,password,keyboard-interactive otp-md5 300 pw9999 ext Password: debug1: Authentications that can continue: publickey,password,keyboard-interactive otp-md5 300 pw9999 ext Password: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password didier@localhost's password: debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug1: Entering interactive session. debug1: channel 0: request pty-req debug1: channel 0: request shell debug1: channel 0: open confirm rwindow 0 rmax 32768 Thanks a lot