It's not possible to allow non-OPIE logins only from trusted
networks
Miguel Lopes Santos Ramos
mbox at miguel.ramos.name
Fri Mar 25 11:10:02 UTC 2011
Sex, 2011-03-11 às 21:15 +0000, Miguel Lopes Santos Ramos escreveu:
> Here's a scratch.
>
> I added an option, called "require_trusted", which enforces the trusted
> network check even for users which do not have OPIE enabled.
> If this option is not used, behaviour is unchanged.
>
> The name "require_trusted" is catchy and compeling to use. However, if
> it was used in default configuration files, login would be impossible
> (unless there was a default opieaccess file which permitted everything,
> but that is bit forcing OPIE stuff on people and it's not worth it).
Well, this thread got a bit lost discussing other issues:
So, any comments on the usefulness of this patch?
I'm undecided myself, when I saw that I can easily lock everyone out
with this (however, that's usually the case with other pam modules).
With this option:
- Non-OPIE logins are only possible from trusted networks (those
in /etc/opieaccess),
- Consequently, users which do not have OPIE enabled can only log in
from trusted networks,
- Consequently, if /etc/opieaccess does not exist, users which do not
have OPIE enabled cannot log in (I see valid uses for this, anyway)
- Consequently, if no one has OPIE enabled, no one can log in (thus
optimum security is achieved).
Overall, I think this is useful.
I think I'm not the only one in this situation.
One basic reason for this is that most users on my network very rarelly
need shell access and even more rarelly they need it from outside.
Having complex passwords becomes hard to manage, as a user who logs in
once every three months will never remember he's password.
Account lockout is also not what I want.
--
Miguel Ramos <mbox at miguel.ramos.name>
PGP A006A14C
More information about the freebsd-security
mailing list