It's not possible to allow non-OPIE logins only from trusted
networks
J. Hellenthal
jhell at DataIX.net
Thu Mar 10 07:23:51 UTC 2011
On Wed, 9 Mar 2011 09:51, mbox@ wrote:
>
> I think the way pam_opieaccess behaves is like "leave a security breach
> by default". I think it would be more usefull if it returned PAM_SUCCESS
> when:
>
> 1. The user does not have OPIE enabled and the remote host is listed as
> a trusted host in /etc/opieaccess.
> 2. The user has OPIE enabled and the remote host is listed as a trusted
> host in /etc/opieaccess, and the user does not have a file
> named .opiealways in his home directory.
>
> Or at least this should be an option for pam_opieaccess.
>
Does changing the following in /etc/pam.d/sshd help ?
# auth (edited for length)
-auth sufficient pam_opie.so no_warn no_fake_prompts
+auth binding pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
There might be some other combinations that would change this behavior for
you but you will have to consult with pam.conf(5) as this is a pretty big
beast to sum up here.
Tweaking PAM in some situations could lead you to undesired results.
Putting something into place of a script that runs out of /etc/profile or
/etc/shrc or whatever that greps the contents of /etc/opiekeys and prompts
the user to run the correct commands or runs them the first time might
just be a better long-term solution to enforcing they use OPIE.
/etc/profile
grep "^${LOGNAME} " /etc/opiekeys ||/usr/bin/opiepasswd -c
...
Anyway I'm sure some other shell-masters@ will chime in at some point and
possibly share what they have done in the past/present/future and offer up
some real good insight on this.
VPN access to the box(s) could be another solution where everyone is local
and you don't need OPIE at all. \o/
--
Regards,
J. Hellenthal
(0x89D8547E)
JJH48-ARIN
More information about the freebsd-security
mailing list