Date: Mon, 21 Jan 2002 03:04:47 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Mark Murray <mark@grondar.za>, current@FreeBSD.ORG Subject: Re: Step5, pam_opie OPIE auth fix for review Message-ID: <20020121000446.GB27206@nagual.pp.ru> In-Reply-To: <xzpvgdw1sqp.fsf@flood.ping.uio.no> References: <20020120220254.GA25886@nagual.pp.ru> <200201202314.g0KNEDt34526@grimreaper.grondar.org> <20020120233050.GA26913@nagual.pp.ru> <xzpvgdw1sqp.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 21, 2002 at 00:56:46 +0100, Dag-Erling Smorgrav wrote: > > What I can't understand is why OPIE is making that decision in the > first place. The only answer I can think of is that it was written > before the advent of PAM, and tries to be a poor man's PAM. That is > not its place. The basic OPIE/S-KEY idea under that was that normally only one-time password is allowed, i.e. user is not allowed to type plaintext passwords at all because connection treated as totally insecured one. But for very special cases configured by sysadmin, like working in the same machine or trusted subnet, OPIE/S-KEY additionally allows plaintext password too, depending on its own configuration. > In any case, if I understand what you're trying to do, it can be done > by returning PAM_SUCCESS if OPIE authentication succeeded, PAM_IGNORE > if it failed but Unix authentication is still allowed, and > PAM_AUTH_ERR if OPIE failed and Unix authentication is *not* allowed. > In that case, if you mark pam_opie "sufficient", pam_unix will run > only if OPIE authentication failed but allowed Unix authentication to > proceed. It sounds good, I'll run a test case and inform you about results. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020121000446.GB27206>