From owner-freebsd-current Tue Jul 9 16:26:45 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4638137B400 for ; Tue, 9 Jul 2002 16:26:42 -0700 (PDT) Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 21FC143E52 for ; Tue, 9 Jul 2002 16:26:41 -0700 (PDT) (envelope-from ache@pobrecita.freebsd.ru) Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1]) by nagual.pp.ru (8.12.5/8.12.5) with ESMTP id g69NQ85C023577; Wed, 10 Jul 2002 03:26:25 +0400 (MSD) (envelope-from ache@pobrecita.freebsd.ru) Received: (from ache@localhost) by pobrecita.freebsd.ru (8.12.5/8.12.5/Submit) id g69NQ55F023576; Wed, 10 Jul 2002 03:26:06 +0400 (MSD) (envelope-from ache) Date: Wed, 10 Jul 2002 03:26:02 +0400 From: "Andrey A. Chernov" To: Dag-Erling Smorgrav Cc: current@freebsd.org Subject: Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd) Message-ID: <20020709232559.GA23499@nagual.pp.ru> References: <20020702114530.GB837@nagual.pp.ru> <20020709124943.GA15259@nagual.pp.ru> <20020709133611.GA17322@nagual.pp.ru> <20020709164108.GA19075@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 09, 2002 at 23:42:32 +0200, Dag-Erling Smorgrav wrote: > Seriously, can you please turn down the hysteria a couple of notches > and give me a proper bug report? On Tue, Jul 09, 2002 at 23:42:32 +0200, Dag-Erling Smorgrav wrote: > Seriously, can you please turn down the hysteria a couple of notches > and give me a proper bug report? This is not the hysteria, just short way to say things. I can try, at least, to reword my reports more verbose. Consider following setup: OPIE is active and allow Unix plaintext passwords for local users only (i.e. common way of using OPIE). Then lets disable all sshd auth methods excepting "PasswordAuthentication yes" in sshd_config. All other sshd and PAM things are in the default state. For remote ssh logins we have two bugs in that scenario, one is questionable and another one is true. 1st bug is questionable: violating documented ssh way of turning OPIE on. I'll return here later and now will mention only one thing: you say that we have an enhancement here, but this enhancement is not working, because of -- 2nd bug is true: no OTP prompt in the scenario above. I.e. even if user want to enter OPIE password, he can't do that because he can't calculate it because he not see something like otp-md5 9960 pa4106 ext ache@xxx.xx password: but see only: ache@xxx.xx password: (no OTP prompt). Now lets return to 1st bug. 1) It is client-related, so even if you'll fix sshd to print OTP prompt, many ssh clients (f.e. Windows ones) not understand this new prompt, i.e. not display it at all or even produce fault. 2) One of the main purposes of OTP is to avoid sending cleartext password over net, but ssh already not does that. When user calls ssh from secure end point, using OTP gains nothing unlike for other programs, only slow entering process down (calculating response). This two reasons means that it will be better to not turn OPIE on for sshd by default. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message