Opieaccess file, is this normal?
Didier Wiroth
didier.wiroth at mcesr.etat.lu
Thu Jun 24 00:05:50 PDT 2004
Hi,
Here is the content of /etc/pamd/ssh, it's actually the default, I didn't
change it.
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth required pam_unix.so no_warn
try_first_pass
account required pam_unix.so
session required pam_permit.so
password required pam_unix.so no_warn
try_first_pass
Î just want to point out the I want to keep "unix password authentication"
for the users whose host or network are in opieaccess. "Unix password
authenication" should be disabled for all users present in opiekeys and
whose hosts or network is not present in opieaccess.
-----Original Message-----
From: owner-freebsd-security at freebsd.org
[mailto:owner-freebsd-security at freebsd.org] On Behalf Of Erick Mechler
Sent: Tuesday, June 22, 2004 18:34
To: Didier Wiroth
Cc: freebsd-security at freebsd.org
Subject: Re: Opieaccess file, is this normal?
:: >From what I've read so far, if the user is present in opiekeys, the
:: opieaccess file determines if the user (coming from a specific host or
:: network) is allowed to use his unix password from this specific network.
::
:: As my opieaccess file is empty and the default rule (as mentionned in the
:: man file) is deny, I should not be able to get an ssh shell with my
standard
:: unix password.
OpenSSH on FreeBSD is PAM-enabled if ChallengeResponseAuthentication is set
to yes:
ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed.
Specifically, in FreeBSD, this controls the use of PAM (see
pam(3)) for authentication. Note that this affects the effec-
tiveness of the PasswordAuthentication and PermitRootLogin
vari-
ables. The default is ``yes''.
Does your /etc/pam.conf disble password authentication?
Cheers - Erick
_______________________________________________
freebsd-security at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list