Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 9 Jul 2002 09:46:40 -0700
From:      Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
To:        Dag-Erling Smorgrav <des@ofug.org>
Cc:        "Andrey A. Chernov" <ache@nagual.pp.ru>, current@FreeBSD.ORG
Subject:   Re: PasswordAuthentication not works in sshd
Message-ID:  <15659.4976.851650.646333@horsey.gshapiro.net>
In-Reply-To: <xzpd6txj93r.fsf@flood.ping.uio.no>
References:  <20020702114530.GB837@nagual.pp.ru> <xzpn0tacp9c.fsf@flood.ping.uio.no> <20020709124943.GA15259@nagual.pp.ru> <xzphej9jb3i.fsf@flood.ping.uio.no> <20020709133611.GA17322@nagual.pp.ru> <xzpd6txj93r.fsf@flood.ping.uio.no>

next in thread | previous in thread | raw e-mail | index | archive | help
>> Normally OPIE not accepts plain Unix password remotely, and it is right,
>> because of cleartext. But it is wrong for sshd, because no cleartext
>> sended for PasswordAuth. It seems that opieaccess in pam.d/sshd should not
>> fails by default or maybe even not present there.

des> What if the client is untrusted?  Do you find it reasonable to allow
des> users to type their password on an untrusted client?  Many of our
des> users use OPIE for precisely this scenario - reading their mail on an
des> untrusted machine in the USENIX terminal room.

Interestingly enough, pam_opieaccess doesn't help at all in this
situation.  The remote user is still prompted for their plain text
password, it just isn't accepted.  However, the damage is already done -- a
compromised ssh client would have already recorded the password typed in.

For opie_access to be of any use, it would have to print a warning telling
users not to type in their plain text password and cause ssh not to ask for
that password after the OTP queries fail (effectively, disable password as
one of the authentication techniques early on).  Also, pam_opieaccess is
broken at the moment anyway as /usr/src/contrib/opie/libopie/accessfile.c
is not compiled with PATH_ACCESS_FILE defined.  The maintainer of OPIE
should add:

#define PATH_ACCESS_FILE "/etc/opieaccess"

to /usr/src/contrib/opie/opie_cfg.h.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15659.4976.851650.646333>