Site Navigation

Date:      Fri, 11 Mar 2011 21:15:33 +0000
From:      Miguel Lopes Santos Ramos <mbox@miguel.ramos.name>
To:        Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= <des@des.no>
Cc:        freebsd-security@freebsd.org
Subject:   Re: It's not possible to allow non-OPIE logins only from trusted networks
Message-ID:  <1299878133.29931.14.camel@w500.local>
In-Reply-To: <1299838652.24241.1.camel@w500.local>
References:  <1299682310.17149.24.camel@w500.local> <86aah2yopr.fsf@ds4.des.no>  <1299838652.24241.1.camel@w500.local>

---

index | next in thread | previous in thread | raw e-mail

---

[-- Attachment #1 --]

Here's a scratch.

I added an option, called "require_trusted", which enforces the trusted
network check even for users which do not have OPIE enabled.
If this option is not used, behaviour is unchanged.

The name "require_trusted" is catchy and compeling to use. However, if
it was used in default configuration files, login would be impossible
(unless there was a default opieaccess file which permitted everything,
but that is bit forcing OPIE stuff on people and it's not worth it). 

Here's three of the scratches I made,

- I first tried to change as few lines as reasonable, that's
pam_opieaccess_mindiff.c, but that made the code look less regular:
instead of two ifs leading to return PAM_SUCCESS, now there was a third
returning failure, so,

- as an attempt to avoid that, I used a nested if,
pam_opieaccess_nestedif.c,

- then I tried to factor things out, and the best way seemed to be
negating everything.


I still scratched a bit more, but it started looking like much ado about
nothing.


Sex, 2011-03-11 às 10:17 +0000, Miguel Lopes Santos Ramos escreveu:
> Sex, 2011-03-11 às 10:46 +0100, Dag-Erling Smørgrav escreveu:
> > Miguel Lopes Santos Ramos <mbox@miguel.ramos.name> writes:
> > > 1. The user does not have OPIE enabled and the remote host is listed as
> > > a trusted host in /etc/opieaccess.
> > > 2. The user has OPIE enabled and the remote host is listed as a trusted
> > > host in /etc/opieaccess, and the user does not have a file
> > > named .opiealways in his home directory.
> > >
> > > Or at least this should be an option for pam_opieaccess.
> > 
> > Seems like a good idea, at first blush (provided it's optional).  Do you
> > have a patch?
> > 
> > DES
> 
> I will make a scratch. I'll submit it to the list on the weekend.
> 

-- 
Miguel Ramos <mbox@miguel.ramos.name>
PGP A006A14C

[-- Attachment #2 --]
--- pam_opieaccess.8.orig	2011-03-11 20:25:03.000000000 +0000
+++ pam_opieaccess.8	2011-03-11 20:32:03.000000000 +0000
@@ -96,7 +96,12 @@
 .Dv PAM_AUTH_ERR .
 .Pp
 The following options may be passed to the authentication module:
-.Bl -tag -width ".Cm allow_local"
+.Bl -tag -width ".Cm require_trusted"
+.It Cm require_trusted
+Normally, a login for a user which does not have OPIE enabled is
+allowed through this module.
+This option, causes the trusted host check to be enforced even for
+users which do not have OPIE enabled.
 .It Cm allow_local
 Normally, local logins are subjected to the same restrictions as
 remote logins from

[-- Attachment #3 --]
--- pam_opieaccess.c	2011-03-11 20:22:42.000000000 +0000
+++ pam_opieaccess_favorite.c	2011-03-11 20:18:06.000000000 +0000
@@ -56,7 +56,10 @@
 	struct opie opie;
 	struct passwd *pwent;
 	const void *luser, *rhost;
-	int r;
+	int r, allow_local, require_trusted, opie_user;
+
+	allow_local = openpam_get_option(pamh, "allow_local") != 0;
+	require_trusted = openpam_get_option(pamh, "require_trusted") != 0;
 
 	r = pam_get_item(pamh, PAM_USER, &luser);
 	if (r != PAM_SUCCESS)
@@ -64,24 +67,31 @@
 	if (luser == NULL)
 		return (PAM_SERVICE_ERR);
 
-	pwent = getpwnam(luser);
-	if (pwent == NULL || opielookup(&opie, __DECONST(char *, luser)) != 0)
-		return (PAM_SUCCESS);
-
 	r = pam_get_item(pamh, PAM_RHOST, &rhost);
 	if (r != PAM_SUCCESS)
 		return (r);
 	if (rhost == NULL || *(const char *)rhost == '\0')
-		rhost = openpam_get_option(pamh, "allow_local") ?
-		    "" : "localhost";
+		rhost = allow_local ? "" : "localhost";
 
-	if (opieaccessfile(__DECONST(char *, rhost)) != 0 &&
-	    opiealways(pwent->pw_dir) != 0)
-		return (PAM_SUCCESS);
+	if (require_trusted && opieaccessfile(__DECONST(char*, rhost)) == 0) {
+		PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");
+		return (PAM_AUTH_ERR);
+	}
 
-	PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");
+	pwent = getpwnam(luser);
+	opie_user = opielookup(&opie, __DECONST(char*, luser)) == 0;
+
+	if (opie_user && pwent != NULL && opiealways(pwent->pw_dir) == 0) {
+		PAM_VERBOSE_ERROR("Refused; user must use OPIE");
+		return (PAM_AUTH_ERR);
+	}
+
+	if (!require_trusted && opie_user && opieaccessfile(__DECONST(char*, rhost)) == 0) {
+		PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");
+		return (PAM_AUTH_ERR);
+	}
 
-	return (PAM_AUTH_ERR);
+	return (PAM_SUCCESS);
 }
 
 PAM_EXTERN int

[-- Attachment #4 --]
--- pam_opieaccess.c	2011-03-11 20:22:42.000000000 +0000
+++ pam_opieaccess_mindiff.c	2011-03-11 19:07:19.312243000 +0000
@@ -64,10 +64,6 @@
 	if (luser == NULL)
 		return (PAM_SERVICE_ERR);
 
-	pwent = getpwnam(luser);
-	if (pwent == NULL || opielookup(&opie, __DECONST(char *, luser)) != 0)
-		return (PAM_SUCCESS);
-
 	r = pam_get_item(pamh, PAM_RHOST, &rhost);
 	if (r != PAM_SUCCESS)
 		return (r);
@@ -75,6 +71,14 @@
 		rhost = openpam_get_option(pamh, "allow_local") ?
 		    "" : "localhost";
 
+	if (openpam_get_option(pamh, "require_trusted") &&
+	    opieaccessfile(__DECONST(char*, rhost)) == 0)
+		return (PAM_AUTH_ERR);
+
+	pwent = getpwnam(luser);
+	if (pwent == NULL || opielookup(&opie, __DECONST(char *, luser)) != 0)
+		return (PAM_SUCCESS);
+
 	if (opieaccessfile(__DECONST(char *, rhost)) != 0 &&
 	    opiealways(pwent->pw_dir) != 0)
 		return (PAM_SUCCESS);

[-- Attachment #5 --]
--- pam_opieaccess.c	2011-03-11 20:22:42.000000000 +0000
+++ pam_opieaccess_nestedif.c	2011-03-11 19:21:57.000000000 +0000
@@ -64,10 +64,6 @@
 	if (luser == NULL)
 		return (PAM_SERVICE_ERR);
 
-	pwent = getpwnam(luser);
-	if (pwent == NULL || opielookup(&opie, __DECONST(char *, luser)) != 0)
-		return (PAM_SUCCESS);
-
 	r = pam_get_item(pamh, PAM_RHOST, &rhost);
 	if (r != PAM_SUCCESS)
 		return (r);
@@ -75,9 +71,16 @@
 		rhost = openpam_get_option(pamh, "allow_local") ?
 		    "" : "localhost";
 
-	if (opieaccessfile(__DECONST(char *, rhost)) != 0 &&
-	    opiealways(pwent->pw_dir) != 0)
-		return (PAM_SUCCESS);
+	if (!openpam_get_option(pamh, "require_trusted") ||
+	    opieaccessfile(__DECONST(char*, rhost)) != 0) {
+		pwent = getpwnam(luser);
+		if (pwent == NULL || opielookup(&opie, __DECONST(char *, luser)) != 0)
+			return (PAM_SUCCESS);
+
+		if (opieaccessfile(__DECONST(char *, rhost)) != 0 &&
+		    opiealways(pwent->pw_dir) != 0)
+			return (PAM_SUCCESS);
+	}
 
 	PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");
 

help

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1299878133.29931.14.camel>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact