Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Jul 2002 09:37:24 -0700
From:      Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
To:        "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc:        Dag-Erling Smorgrav <des@ofug.org>, current@FreeBSD.ORG
Subject:   Re: Patch for review (was Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd))
Message-ID:  <15660.25284.36769.583960@horsey.gshapiro.net>
In-Reply-To: <20020710152358.GA31729@nagual.pp.ru>
References:  <20020709164108.GA19075@nagual.pp.ru> <xzpr8icinnb.fsf@flood.ping.uio.no> <20020709232559.GA23499@nagual.pp.ru> <xzpd6tvj3h3.fsf@flood.ping.uio.no> <20020710115021.GA28478@nagual.pp.ru> <xzpznwzg4k0.fsf@flood.ping.uio.no> <20020710122357.GA29452@nagual.pp.ru> <xzpptxvg2h8.fsf@flood.ping.uio.no> <20020710132801.GA30351@nagual.pp.ru> <xzp8z4jg0vs.fsf@flood.ping.uio.no> <20020710152358.GA31729@nagual.pp.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
If I may suggest a fix that will probably make everyone happy...

The problem seems to be the addition of opieaccess to the PAM
configuration.  With that addition, in -CURRENT, unless a user creates
/etc/opieaccess and adds explicit "permit" lines, plain text passwords will
not be accepted if OPIE is in use at the site.  If that file does not
exist, plain text passwords are explicitly denied.  This breaks POLA.

However, if /usr/src/contrib/opie/libopie/accessfile.c is changed to accept
plain text passwords if the file does not exist (the normal case), then I
believe people will be happy.  Alternatively, we need to start distributing
an /etc/opieaccess file that "permit"'s every connection by default.

So, to fix this:

1. Either this one line change to /usr/src/contrib/opie/libopie/accessfile.c 

   From:

  if (!(fp = fopen(PATH_ACCESS_FILE, "r")))
    return 0;

  To:

  if (!(fp = fopen(PATH_ACCESS_FILE, "r")))
    return 1;

   Or add /etc/opieaccess with the line:

	permit 0.0.0.0 0.0.0.0

2. In -STABLE, merge src/lib/libopie/Makefile revs 1.14 and 1.15 to
   RELENG_4.  Then merge which ever fix you do in #1 above, then it is safe
   to revert src/etc/pam.conf rev 1.6.2.16.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15660.25284.36769.583960>