misc/94978: pam_opie module option without "no_fake_prompts" is not useful

Juan Francisco Rodriguez Hervella juan.fco.rodriguez at gmail.com
Sun Mar 26 22:20:12 UTC 2006 

>Number:         94978
>Category:       misc
>Synopsis:       pam_opie module option without "no_fake_prompts" is not useful
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 26 22:20:11 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Juan Francisco Rodriguez Hervella
>Release:        FreeBSD-6.0-RELEASE #0
>Organization:
Alma Technologies
>Environment:
FreeBSD-6.0
>Description:
It's very easy to know if the account is not using opie passwords even if the
option "no_fake_prompts" is remove fromt the pam_opie configuration,
because the challenge varies randomly
every time you try to log in, even when you fail.

My concern is that "no_fake_prompts" is made an option, meaning it is
not the default behaviour....the default behaviour should be the
more secure....but even without "no_fake_prompts" the attacker
can find out that the user account is not using opie in a very easy
way.

So in my humble opinion it is not enough to generate random opie challenges for accounts
with opie disabled. Opie system should be able to issue the same challenge
even for users with opie not enabled.

Do you understand my concern ? am I right ?
Is this diffiuclt to implement ? 
my answer to all these questions is.... I don't know :)

>How-To-Repeat:
enable opie passwords with "opiepasswd" command on a specific account.
Then remove the option "no_fake_prompts" of /etc/pam.d/system.
Finally try to log into an account without opie, without success a couple of times, 
and you will find out that the challenge varies very randomly...which suggests opie
is not being used actually, because with opie enabled, if you fail to log in, the
same challenge will be sent to you over and over....and if you've got success,
the challenge will be decremented by one....
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list