From owner-freebsd-current Wed Jul 10 10:33: 8 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DD9C37B400; Wed, 10 Jul 2002 10:33:05 -0700 (PDT) Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D37743E3B; Wed, 10 Jul 2002 10:33:04 -0700 (PDT) (envelope-from ache@pobrecita.freebsd.ru) Received: from pobrecita.freebsd.ru (ache@localhost [127.0.0.1]) by nagual.pp.ru (8.12.5/8.12.5) with ESMTP id g6AHWf5C032914; Wed, 10 Jul 2002 21:33:00 +0400 (MSD) (envelope-from ache@pobrecita.freebsd.ru) Received: (from ache@localhost) by pobrecita.freebsd.ru (8.12.5/8.12.5/Submit) id g6AHWd1p032913; Wed, 10 Jul 2002 21:32:39 +0400 (MSD) (envelope-from ache) Date: Wed, 10 Jul 2002 21:32:37 +0400 From: "Andrey A. Chernov" To: Gregory Neil Shapiro Cc: Dag-Erling Smorgrav , current@FreeBSD.ORG Subject: Re: Patch for review (was Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)) Message-ID: <20020710173236.GA32819@nagual.pp.ru> References: <20020709232559.GA23499@nagual.pp.ru> <20020710115021.GA28478@nagual.pp.ru> <20020710122357.GA29452@nagual.pp.ru> <20020710132801.GA30351@nagual.pp.ru> <20020710152358.GA31729@nagual.pp.ru> <15660.25284.36769.583960@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <15660.25284.36769.583960@horsey.gshapiro.net> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 10, 2002 at 09:37:24 -0700, Gregory Neil Shapiro wrote: > The problem seems to be the addition of opieaccess to the PAM > configuration. Not to PAM, but more strictly, to PAMified sshd. Addition of it to other PAMified programs works as expected. > With that addition, in -CURRENT, unless a user creates > /etc/opieaccess and adds explicit "permit" lines, plain text passwords will > not be accepted if OPIE is in use at the site. If that file does not > exist, plain text passwords are explicitly denied. This breaks POLA. Yes. > However, if /usr/src/contrib/opie/libopie/accessfile.c is changed to accept > plain text passwords if the file does not exist (the normal case), then I > believe people will be happy. Alternatively, we need to start distributing > an /etc/opieaccess file that "permit"'s every connection by default. No. F.e. I have a rule in /etc/opieaccess which allow local plaintext passwords and disallow them for remote access. This is typical setup needed for most OPIE-aware programs. When pam_opie* added to sshd PasswordAuthenticate auth (by default), I can't login from remote, but still can from local. So, back to your proposal: 1) If /etc/opieaccess will not exists, other OPIE-aware programs will be broken (not tuned well for local/remote difference). 2) If /etc/opieaccess will have "permit" lines for all, other OPIE-aware programs will be broken (not tuned well for local/remote difference). BTW, changing documented OPIE way of things is not good from security reasons. 3) If /etc/opieaccess have correct "permit" line for local and not for remote, other OPIE-aware programs are happy, but sshd is broken (can't login from remote but can from local). So, your fix attempt really not fix things, only removing OPIE from PasswordAuthenticate fix them. OPIE not works with PasswordAuthenticate in any case, as DES himself confirms and what I say from the very beginning. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message