Forgive the top-post -- I have independently verified this, suggest you open a PR. This is definitely a bug in opiepasswd. It is also present in RELENG_4_8.
Regards, Michael
Sergey Sysoev wrote:
Hi. I have a question related to freebsd opie implementation. I am running 4.9-RELEASE and I've tried to setup opie.
*** 1 *** opiepasswd/opiekey
I've added user using `opiepasswd -c "ssa"`
mx2# opiepasswd -c "ssa" Adding ssa: Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter new secret pass phrase: Again new secret pass phrase:
ID ssa OTP key is 499 mx1759 WADE IFFY LAWN MEAD DANG BUB mx2#
And now I want to change it
mx2# opiepasswd "ssa" Updating ssa: You need the response from an OTP generator. New secret pass phrase: otp-md5 499 mx17 Response:
You see that seed equal 'mx17', using opiekey:
mx2# opiekey 499 mx17 Using the MD5 algorithm to compute response. Seeds must be greater than 5 characters long. mx2#
So it is not possible to update password in /etc/opiekey file, you have to edit it manually and that add password again via 'opiepasswd'.
*** 2*** opiekey
opiekey could not generate response for zero sequence number when it specified directly:
mx2# opiekey -a 0 vo6199 Using the MD5 algorithm to compute response. Sequence number 0 is not positive.
but it works fine in case of:
mx2# opiekey -n5 1 vo6199 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: 0: OAK SEW CULT FALL AX WAND 1: BOUT AID SOOT BUT SIT BILK mx2#
*** 3 *** pam_opie.so, the most interesting thing
After successful login with 0 sequence number, trying to do it again (sequence number has been decreased, right?)
mx2# ssh [EMAIL PROTECTED] otp-md5 -1 (null) ext Password:
Is it impossible to calculate response to '-1' so trying to use any password to skip pam_opie and login with next pam module. But here login hangs and there is _no_way_ to login remotely because pam_opie.so is the top line of pam.conf
After about 1-2 minutes timeout it just says "Connection closed by 192.168.90.250"
*** 4 *** now just a question
(In case of fix) After 0 or 1 seq. number it should recount from the beginning, for example from 499, but I think that seed should be automatically changed in that case for next 500 iterations otherwise that is not one-time-passwords
So... I think that is not good ... or am I mistaken?
--
"Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred." - The Mahabharata
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"