From owner-freebsd-security@FreeBSD.ORG Fri Mar 25 11:10:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D1FF106568A for ; Fri, 25 Mar 2011 11:10:02 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 1C6758FC1A for ; Fri, 25 Mar 2011 11:10:02 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id BA0DB594010; Fri, 25 Mar 2011 04:09:50 -0700 (PDT) Received: from w500.local (w500.miguel.ramos.name [IPv6:2001:b18:4071:0:21c:25ff:fe95:b118]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Fri, 25 Mar 2011 04:09:49 -0700 (PDT) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2PB9qFx011936; Fri, 25 Mar 2011 11:09:52 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2PB9pgt011934; Fri, 25 Mar 2011 11:09:51 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <1299878133.29931.14.camel@w500.local> References: <1299682310.17149.24.camel@w500.local> <86aah2yopr.fsf@ds4.des.no> <1299838652.24241.1.camel@w500.local> <1299878133.29931.14.camel@w500.local> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Date: Fri, 25 Mar 2011 11:09:51 +0000 Message-ID: <1301051391.11551.12.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID f27.4d8c77fd.7398e.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 25 Mar 2011 11:10:02 -0000 Sex, 2011-03-11 =C3=A0s 21:15 +0000, Miguel Lopes Santos Ramos escreveu: > Here's a scratch. >=20 > I added an option, called "require_trusted", which enforces the trusted > network check even for users which do not have OPIE enabled. > If this option is not used, behaviour is unchanged. >=20 > The name "require_trusted" is catchy and compeling to use. However, if > it was used in default configuration files, login would be impossible > (unless there was a default opieaccess file which permitted everything, > but that is bit forcing OPIE stuff on people and it's not worth it).=20 Well, this thread got a bit lost discussing other issues: So, any comments on the usefulness of this patch? I'm undecided myself, when I saw that I can easily lock everyone out with this (however, that's usually the case with other pam modules). With this option: - Non-OPIE logins are only possible from trusted networks (those in /etc/opieaccess), - Consequently, users which do not have OPIE enabled can only log in from trusted networks, - Consequently, if /etc/opieaccess does not exist, users which do not have OPIE enabled cannot log in (I see valid uses for this, anyway) - Consequently, if no one has OPIE enabled, no one can log in (thus optimum security is achieved). Overall, I think this is useful. I think I'm not the only one in this situation. One basic reason for this is that most users on my network very rarelly need shell access and even more rarelly they need it from outside. Having complex passwords becomes hard to manage, as a user who logs in once every three months will never remember he's password. Account lockout is also not what I want. --=20 Miguel Ramos PGP A006A14C