pam_opieaccess.so is documented to allow cleartext password (by returning PAM_SUCCESS) when OPIE is disabled for the user.
However, on both -current and 4-stable, pam_opieaccess.so checks whether OPIE is enabled only by checking the existence of the user's record from /etc/opiekeys. Since a valid /etc/opiekeys record can also indicate that the OPIE access is disabled (i.e. one runs opiepasswd -d to set the value field to `****************'), I guess the module should check this as well.
Currently this check is not performed, so when one has pam_opie.so plus pam_opieaccess.so combination, users with explicitly disabled OPIE record and a cleartext password won't be able to log in even when /etc/opieaccess allows cleartext password logins.
Is the current behavior an intended feature, or should it be fixed (the patch would be trivial)?
Eugene
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
