bin/58893: OPIE implementation bug
Sergey Sysoev
ssa at avtf.org
Mon Nov 3 11:00:33 PST 2003
>Number: 58893
>Category: bin
>Synopsis: OPIE implementation bug
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Nov 03 11:00:30 PST 2003
>Closed-Date:
>Last-Modified:
>Originator: Sergey Sysoev
>Release: FreeBSD 4.9-RELEASE i386
>Organization:
>Environment:
System: FreeBSD srv.faeton1.ru 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Thu Oct 30 19:18:45 OMST 2003 ssa at srv.faeton1.ru:/usr/src/sys/compile/SRV i386
>Description:
1. opiepasswd produce incorrect seed output during password change
2. opiekey produce incorrect response in case of 0 (zero) sequence number
3. pam_opie.so can allow login attempts in case with negative sequence number
>How-To-Repeat:
*** 1 *** opiepasswd/opiekey
I've added user using `opiepasswd -c "ssa"`
mx2# opiepasswd -c "ssa"
Adding ssa:
Only use this method from the console; NEVER from remote. If you are using
telnet, xterm, or a dial-in, type ^C now or exit with no password.
Then run opiepasswd without the -c parameter.
Using MD5 to compute responses.
Enter new secret pass phrase:
Again new secret pass phrase:
ID ssa OTP key is 499 mx1759
WADE IFFY LAWN MEAD DANG BUB
mx2#
And now I want to change it
mx2# opiepasswd "ssa"
Updating ssa:
You need the response from an OTP generator.
New secret pass phrase:
otp-md5 499 mx17
Response:
You see that seed equal 'mx17', using opiekey:
mx2# opiekey 499 mx17
Using the MD5 algorithm to compute response.
Seeds must be greater than 5 characters long.
mx2#
So it is not possible to update password in /etc/opiekey file, you
have to edit it manually and that add password again via 'opiepasswd'.
*** 2*** opiekey
opiekey could not generate response for zero sequence number when it
specified directly:
mx2# opiekey -a 0 vo6199
Using the MD5 algorithm to compute response.
Sequence number 0 is not positive.
but it works fine in case of:
mx2# opiekey -n5 1 vo6199
Using the MD5 algorithm to compute response.
Reminder: Don't use opiekey from telnet or dial-in sessions.
Enter secret pass phrase:
0: OAK SEW CULT FALL AX WAND
1: BOUT AID SOOT BUT SIT BILK
mx2#
*** 3 *** pam_opie.so
After successful login with 0 (zero) sequence number, trying to do it again
(sequence number has been decreased, right?)
mx2# ssh ssa at 192.168.90.250
otp-md5 -1 (null) ext
Password:
Is it impossible to calculate response to '-1' so trying to use any
password to skip pam_opie and login with next pam module. But here
login hangs and there is _no_way_ to login remotely because
pam_opie.so is the top line of pam.conf
After about 1-2 minutes timeout with "Connection closed by 192.168.90.250"
>Fix:
correct opiepasswd/opiekey checking rules and output
pam_opie.so, to check seq.number before processing login, at seq.number eq zero
reinit it simultaneously with different seed reinitialization for the same passphrase?
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list