It's not possible to allow non-OPIE logins only from trusted
networks
Miguel Lopes Santos Ramos
mbox at miguel.ramos.name
Fri Mar 11 21:16:01 UTC 2011
Here's a scratch.
I added an option, called "require_trusted", which enforces the trusted
network check even for users which do not have OPIE enabled.
If this option is not used, behaviour is unchanged.
The name "require_trusted" is catchy and compeling to use. However, if
it was used in default configuration files, login would be impossible
(unless there was a default opieaccess file which permitted everything,
but that is bit forcing OPIE stuff on people and it's not worth it).
Here's three of the scratches I made,
- I first tried to change as few lines as reasonable, that's
pam_opieaccess_mindiff.c, but that made the code look less regular:
instead of two ifs leading to return PAM_SUCCESS, now there was a third
returning failure, so,
- as an attempt to avoid that, I used a nested if,
pam_opieaccess_nestedif.c,
- then I tried to factor things out, and the best way seemed to be
negating everything.
I still scratched a bit more, but it started looking like much ado about
nothing.
Sex, 2011-03-11 às 10:17 +0000, Miguel Lopes Santos Ramos escreveu:
> Sex, 2011-03-11 às 10:46 +0100, Dag-Erling Smørgrav escreveu:
> > Miguel Lopes Santos Ramos <mbox at miguel.ramos.name> writes:
> > > 1. The user does not have OPIE enabled and the remote host is listed as
> > > a trusted host in /etc/opieaccess.
> > > 2. The user has OPIE enabled and the remote host is listed as a trusted
> > > host in /etc/opieaccess, and the user does not have a file
> > > named .opiealways in his home directory.
> > >
> > > Or at least this should be an option for pam_opieaccess.
> >
> > Seems like a good idea, at first blush (provided it's optional). Do you
> > have a patch?
> >
> > DES
>
> I will make a scratch. I'll submit it to the list on the weekend.
>
--
Miguel Ramos <mbox at miguel.ramos.name>
PGP A006A14C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_opieaccess.8.diff
Type: text/x-patch
Size: 653 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110311/58d047e4/pam_opieaccess.8.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_opieaccess_favorite.diff
Type: text/x-patch
Size: 1853 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110311/58d047e4/pam_opieaccess_favorite.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_opieaccess_mindiff.diff
Type: text/x-patch
Size: 909 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110311/58d047e4/pam_opieaccess_mindiff.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_opieaccess_nestedif.diff
Type: text/x-patch
Size: 1088 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20110311/58d047e4/pam_opieaccess_nestedif.bin
More information about the freebsd-security
mailing list