> Bug: > > pam_opie module _always_ allows Unix (plaintext) password, even in the > cases which are disabled by OPIE auth procedure.
I agree that this is a bug. > Description: > > How non-PAM standalone OPIE works: > > 1) If OPIE user exists, its remote host checked against /etc/opieaccess > via opieaccessfile() > > 2) If remote host is found there, user home dir checked for ~/.opiealways > file via opiealways() > > 3) If no such file, it is assumed than OPIE user is allowed to > authenticate with plaintext (Unix) password additionly to OPIE exchange. The PAM OPIE may only do OPIE authentication. It is entirely up to the PAM stack to decide what the login policy is. (Well, the PAM stack as specified by the pam configs in /etc/pam*) > In all other cases OPIE user is not allowed to authenticate with plaintext > (Unix) password. > How PAM OPIE works: > > OPIE user can _always_ authenticate with plaintext (Unix) password which > is is security lowering and violates OPIE way of things. Oops. Yes. That is not good. > Fix: > > It can't be fixed in current 2-state pam_opie return codes model, we need > 3 codes: > > 1) For OPIE exchange success > 2) For OPIE exchange failure, but Unix (plaintext) passwords allowed > 3) For OPIE exchange failure, but Unix (plaintext) passwords disabled Nope. I disagree. 1) Success. 2) Failure. 3) Failure. > 1) and 2) works exact as in old 2-state model, so 1) is PAM_SUCCESS and 2) > is PAM_AUTH_ERR. 2) and 3) are _both_ PAM_AUTH_ERR. However - the module may pass on the authentication token (the password) and any following modules are allowed to use this if they find it. (look at the try_first_pass and use_fist_pass options). > I choose PAM_CRED_INSUFFICIENT for case 3) which means that pam_opie > module deside that all additionally possible auth will be insufficient and > returns immediately from modules chain with this code. No. This is messing with the PAM stack in a weird way. I disagree with this method. > --- pam_opie.c.old Sun Jan 20 23:56:47 2002 > +++ pam_opie.c Mon Jan 21 00:24:51 2002 > @@ -66,13 +66,14 @@ > struct opie opie; > struct options options; > struct passwd *pwd; > - int retval, i; > + int retval, i, pwok; > char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "}; > char challenge[OPIE_CHALLENGE_MAX]; > char prompt[OPIE_CHALLENGE_MAX+22]; > char resp[OPIE_SECRET_MAX]; > const char *user; > const char *response; > + const char *rhost; > > pam_std_option(&options, other_options, argc, argv); > > @@ -97,6 +98,8 @@ > retval = pam_get_user(pamh, (const char **)&user, NULL); > if (retval != PAM_SUCCESS) > PAM_RETURN(retval); > + if ((pwd = getpwnam(user)) == NULL) > + PAM_RETURN(PAM_AUTH_ERR); > } > > PAM_LOG("Got user: %s", user); > @@ -107,7 +110,14 @@ > */ > opiedisableaeh(); > > - opiechallenge(&opie, (char *)user, challenge); > + if (opiechallenge(&opie, (char *)user, challenge) == 0) { > + rhost = NULL; > + (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); > + pwok = (rhost != NULL) && (*rhost != '\0') && > + opieaccessfile((char *)rhost) && > + opiealways(pwd->pw_dir); > + } else > + pwok = 1; > for (i = 0; i < 2; i++) { > snprintf(prompt, sizeof prompt, promptstr[i], challenge); > retval = pam_get_pass(pamh, &response, prompt, &options); > @@ -134,7 +144,10 @@ > * it expects. Thus we can't log an error and can only check for > * success or lack thereof. > */ > - retval = opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; > + if (opieverify(&opie, resp) != 0) > + retval = pwok ? PAM_AUTH_ERR : PAM_CRED_INSUFFICIENT; > + else > + retval = PAM_SUCCESS; > PAM_RETURN(retval); > } > > --- ftpd.c.bak Sat Jan 19 21:29:50 2002 > +++ ftpd.c Mon Jan 21 00:30:03 2002 > @@ -1190,6 +1190,7 @@ > break; > > case PAM_AUTH_ERR: > + case PAM_CRED_INSUFFICIENT: > case PAM_USER_UNKNOWN: > case PAM_MAXTRIES: > rval = 1; > --- login.c.bak Sat Jan 19 21:05:16 2002 > +++ login.c Mon Jan 21 00:31:45 2002 > @@ -802,6 +802,7 @@ > break; > > case PAM_AUTH_ERR: > + case PAM_CRED_INSUFFICIENT: > case PAM_USER_UNKNOWN: > case PAM_MAXTRIES: > rval = 1; > --- su.bak Sat Jan 19 21:29:49 2002 > +++ su Mon Jan 21 00:39:04 2002 > @@ -9,7 +9,7 @@ > auth requisite pam_wheel.so no_warn auth_as_self noroot_ok > #auth sufficient pam_kerberosIV.so no_warn > #auth sufficient pam_krb5.so no_warn try_first_pass >auth_as_self > -#auth required pam_opie.so no_warn > +#auth [defalt=ignore success=done cred_insufficient=die] pam_opie.so no_warn > #auth required pam_ssh.so no_warn try_first_pass > auth required pam_unix.so no_warn try_first_pass nullok > #auth sufficient pam_rootok.so no_warn > --- login.bak Sat Jan 19 21:29:49 2002 > +++ login Mon Jan 21 00:39:04 2002 > @@ -6,7 +6,7 @@ > > # auth > auth required pam_nologin.so no_warn > -#auth sufficient pam_opie.so no_warn > +#auth [defalt=ignore success=done cred_insufficient=die] pam_opie.so no_warn > #auth sufficient pam_kerberosIV.so no_warn try_first_pass > #auth sufficient pam_krb5.so no_warn try_first_pass > #auth required pam_ssh.so no_warn try_first_pass > --- ftpd.bak Sat Jan 19 21:29:49 2002 > +++ ftpd Mon Jan 21 00:39:04 2002 > @@ -9,10 +9,8 @@ > #auth sufficient pam_kerberosIV.so no_warn > #auth sufficient pam_krb5.so no_warn > #auth sufficient pam_ssh.so no_warn try_first_pass > -# Uncomment either pam_opie or pam_unix, but not both of them. > -# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback > -auth required pam_opie.so no_warn > -#auth required pam_unix.so no_warn try_first_pass > +#auth [defalt=ignore success=done cred_insufficient=die] pam_opie.so no_warn > +auth required pam_unix.so no_warn try_first_pass > > # account > #account required pam_kerberosIV.so > > -- > Andrey A. Chernov > http://ache.pp.ru/ > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-current" in the body of the message -- o Mark Murray \_ FreeBSD Services Limited O.\_ Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message