Opieaccess file, is this normal?

Didier Wiroth didier.wiroth at mcesr.etat.lu
Thu Jun 24 00:05:50 PDT 2004 

Hi,

Here is the content of /etc/pamd/ssh, it's actually the default, I didn't
change it.

auth            required        pam_nologin.so          no_warn
auth            sufficient      pam_opie.so             no_warn
no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            required        pam_unix.so             no_warn
try_first_pass
account         required        pam_unix.so
session         required        pam_permit.so
password        required        pam_unix.so             no_warn
try_first_pass

Î just want to point out the I want to keep "unix password authentication"
for the users whose host or network are in opieaccess. "Unix password
authenication" should be disabled for all users present in opiekeys and
whose hosts or network is not present in opieaccess.

-----Original Message-----
From: owner-freebsd-security at freebsd.org
[mailto:owner-freebsd-security at freebsd.org] On Behalf Of Erick Mechler
Sent: Tuesday, June 22, 2004 18:34
To: Didier Wiroth
Cc: freebsd-security at freebsd.org
Subject: Re: Opieaccess file, is this normal?

:: >From what I've read so far, if the user is present in opiekeys, the
:: opieaccess file determines if the user (coming from a specific host or
:: network) is allowed to use his unix password from this specific network. 
:: 
:: As my opieaccess file is empty and the default rule (as mentionned in the
:: man file) is deny, I should not be able to get an ssh shell with my
standard
:: unix password.

OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication is set
to yes:

     ChallengeResponseAuthentication
             Specifies whether challenge-response authentication is allowed.
             Specifically, in FreeBSD, this controls the use of PAM (see
             pam(3)) for authentication.  Note that this affects the effec-
             tiveness of the PasswordAuthentication and PermitRootLogin
vari-
             ables.  The default is ``yes''.

Does your /etc/pam.conf disble password authentication?

Cheers - Erick
_______________________________________________
freebsd-security at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

More information about the freebsd-security mailing list