Opieaccess file, is this normal?

From: Didier Wiroth (didier.wiroth_at_mcesr.etat.lu)
Date: 06/22/04

  • Next message: Erick Mechler: "Re: Opieaccess file, is this normal?"
    Date: Tue, 22 Jun 2004 17:55:55 +0200
    To: freebsd-security@freebsd.org
    
    

    Hi,

    I'm trying to setup one-time passwords on freebsd5.2.1

    >From what I've read so far, if the user is present in opiekeys, the
    opieaccess file determines if the user (coming from a specific host or
    network) is allowed to use his unix password from this specific network.

    As my opieaccess file is empty and the default rule (as mentionned in the
    man file) is deny, I should not be able to get an ssh shell with my standard
    unix password.

    I've made a test on test machine running ssh (version sshd version
    OpenSSH_3.6.1p1 FreeBSD-20030924).

    The opiekey contains one user, me actually.
    The opieaccess file is empty so (by default) unix password should not be
    allowed when connecting through ssh.

    I enter a few times "enter" and sshd switches to the next authentication
    method "password".
    Now I can enter my standard password and I'm logged in, even if I should
    only be allowed to use the opie passwords.

    Why? Isn't this a bug?

    Here is the ssh -v output:

    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/didier/.ssh/identity
    debug1: Trying private key: /home/didier/.ssh/id_rsa
    debug1: Trying private key: /home/didier/.ssh/id_dsa
    debug1: Next authentication method: keyboard-interactive
    otp-md5 300 pw9999 ext
    Password:
    otp-md5 300 pw9999 ext
    Password [echo on]:
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    otp-md5 300 pw9999 ext
    Password:
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    otp-md5 300 pw9999 ext
    Password:
    debug1: Authentications that can continue:
    publickey,password,keyboard-interactive
    debug1: Next authentication method: password
    didier@localhost's password:
    debug1: Authentication succeeded (password).
    debug1: channel 0: new [client-session]
    debug1: Entering interactive session.
    debug1: channel 0: request pty-req
    debug1: channel 0: request shell
    debug1: channel 0: open confirm rwindow 0 rmax 32768

    Thanks a lot

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Erick Mechler: "Re: Opieaccess file, is this normal?"

    Relevant Pages

    • Key-based authentication in SSH with Sun Directory Server 6.3 (On Solaris 10 client)
      ... I'm having problems with key-based authentication on one of my Solaris ... debug1: Connection established. ... # rlogin service (explicit because of pam_rhost_auth) ... # Default definitions for Authentication management ...
      (comp.unix.solaris)
    • LDAP Authentication via SSH
      ... authenticate via SSH to the LDAP server. ... debug1: Connecting to ldapclient.domain port 22. ... debug1: Next authentication method: keyboard-interactive ... # rlogin service (explicit because of pam_rhost_auth) ...
      (SunManagers)
    • Re: SSH from windows to linux using public key authentication
      ... Linux Linux wrote: ... public key authentication. ... I have copied exact same public key to my Prolinux and it's not working. ... debug1: Next authentication method: publickey ...
      (RedHat)
    • Bad passphrase with public key authentication
      ... I'm setting up my server to use public key authentication. ... debug1: Connection established. ... debug3: Not a RSA1 key file server_rsa_macbook.pub. ... debug2: fd 3 setting O_NONBLOCK ...
      (SSH)
    • Re: pubkey works for user: why not root ?
      ... Subject: pubkey works for user: why not root? ... debug1: Connection established. ... debug2: fd 3 setting O_NONBLOCK ... debug1: Next authentication method: publickey ...
      (SSH)