From owner-freebsd-current  Wed Jul 10  9:37:46 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5D2D837B400
	for <current@FreeBSD.ORG>; Wed, 10 Jul 2002 09:37:42 -0700 (PDT)
Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7796843E31
	for <current@FreeBSD.ORG>; Wed, 10 Jul 2002 09:37:41 -0700 (PDT)
	(envelope-from gshapiro@gshapiro.net)
Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1])
	by horsey.gshapiro.net (8.12.5.Beta0/8.12.5.Beta0) with ESMTP id g6AGbPdN027772
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Wed, 10 Jul 2002 09:37:25 -0700 (PDT)
Received: (from gshapiro@localhost)
	by horsey.gshapiro.net (8.12.5.Beta0/8.12.5.Beta0/Submit) id g6AGbOWS027768;
	Wed, 10 Jul 2002 09:37:24 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15660.25284.36769.583960@horsey.gshapiro.net>
Date: Wed, 10 Jul 2002 09:37:24 -0700
From: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
To: "Andrey A. Chernov" <ache@nagual.pp.ru>
Cc: Dag-Erling Smorgrav <des@ofug.org>, current@FreeBSD.ORG
Subject: Re: Patch for review (was Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd))
In-Reply-To: <20020710152358.GA31729@nagual.pp.ru>
References: <20020709164108.GA19075@nagual.pp.ru>
	<xzpr8icinnb.fsf@flood.ping.uio.no>
	<20020709232559.GA23499@nagual.pp.ru>
	<xzpd6tvj3h3.fsf@flood.ping.uio.no>
	<20020710115021.GA28478@nagual.pp.ru>
	<xzpznwzg4k0.fsf@flood.ping.uio.no>
	<20020710122357.GA29452@nagual.pp.ru>
	<xzpptxvg2h8.fsf@flood.ping.uio.no>
	<20020710132801.GA30351@nagual.pp.ru>
	<xzp8z4jg0vs.fsf@flood.ping.uio.no>
	<20020710152358.GA31729@nagual.pp.ru>
X-Mailer: VM 7.03 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

If I may suggest a fix that will probably make everyone happy...

The problem seems to be the addition of opieaccess to the PAM
configuration.  With that addition, in -CURRENT, unless a user creates
/etc/opieaccess and adds explicit "permit" lines, plain text passwords will
not be accepted if OPIE is in use at the site.  If that file does not
exist, plain text passwords are explicitly denied.  This breaks POLA.

However, if /usr/src/contrib/opie/libopie/accessfile.c is changed to accept
plain text passwords if the file does not exist (the normal case), then I
believe people will be happy.  Alternatively, we need to start distributing
an /etc/opieaccess file that "permit"'s every connection by default.

So, to fix this:

1. Either this one line change to /usr/src/contrib/opie/libopie/accessfile.c 

   From:

  if (!(fp = fopen(PATH_ACCESS_FILE, "r")))
    return 0;

  To:

  if (!(fp = fopen(PATH_ACCESS_FILE, "r")))
    return 1;

   Or add /etc/opieaccess with the line:

	permit 0.0.0.0 0.0.0.0

2. In -STABLE, merge src/lib/libopie/Makefile revs 1.14 and 1.15 to
   RELENG_4.  Then merge which ever fix you do in #1 above, then it is safe
   to revert src/etc/pam.conf rev 1.6.2.16.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message