Opieaccess file, is this normal?
From: Didier Wiroth (didier.wiroth_at_mcesr.etat.lu)
Date: 06/22/04
- Previous message: Dag-Erling Smørgrav: "Re: 4.x, PAM, password facility"
- Next in thread: Erick Mechler: "Re: Opieaccess file, is this normal?"
- Reply: Erick Mechler: "Re: Opieaccess file, is this normal?"
- Maybe reply: Didier Wiroth: "FW: Opieaccess file, is this normal?"
- Reply: Jilles Tjoelker: "Re: Opieaccess file, is this normal?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Jun 2004 17:55:55 +0200 To: freebsd-security@freebsd.org
Hi,
I'm trying to setup one-time passwords on freebsd5.2.1
>From what I've read so far, if the user is present in opiekeys, the
opieaccess file determines if the user (coming from a specific host or
network) is allowed to use his unix password from this specific network.
As my opieaccess file is empty and the default rule (as mentionned in the
man file) is deny, I should not be able to get an ssh shell with my standard
unix password.
I've made a test on test machine running ssh (version sshd version
OpenSSH_3.6.1p1 FreeBSD-20030924).
The opiekey contains one user, me actually.
The opieaccess file is empty so (by default) unix password should not be
allowed when connecting through ssh.
I enter a few times "enter" and sshd switches to the next authentication
method "password".
Now I can enter my standard password and I'm logged in, even if I should
only be allowed to use the opie passwords.
Why? Isn't this a bug?
Here is the ssh -v output:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/didier/.ssh/identity
debug1: Trying private key: /home/didier/.ssh/id_rsa
debug1: Trying private key: /home/didier/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
otp-md5 300 pw9999 ext
Password:
otp-md5 300 pw9999 ext
Password [echo on]:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
otp-md5 300 pw9999 ext
Password:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
otp-md5 300 pw9999 ext
Password:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
didier@localhost's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: channel 0: request pty-req
debug1: channel 0: request shell
debug1: channel 0: open confirm rwindow 0 rmax 32768
Thanks a lot
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Dag-Erling Smørgrav: "Re: 4.x, PAM, password facility"
- Next in thread: Erick Mechler: "Re: Opieaccess file, is this normal?"
- Reply: Erick Mechler: "Re: Opieaccess file, is this normal?"
- Maybe reply: Didier Wiroth: "FW: Opieaccess file, is this normal?"
- Reply: Jilles Tjoelker: "Re: Opieaccess file, is this normal?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
