1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-19 10:53:58 +00:00

Further changes to allow enabling pam_opie(8) by default:

- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
   challenging the user.  These options are meaningless for pam_opie(8)
   since the user can't possibly know the right response before she sees
   the challenge.

 - Introduce the no_fake_prompts option.  If this option is set, pam_opie(8)
   will fail - rather than present a bogus challenge - if the target user
   does not have an OPIE key.  With this option, users who haven't set up
   OPIE won't have to wonder what that "weird otp-md5 s**t" means :)

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
Dag-Erling Smørgrav 2002-01-21 18:46:25 +00:00
parent f2c44ccec8
commit 03adba96a0
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=89618
2 changed files with 38 additions and 12 deletions

View File

@ -8,7 +8,6 @@
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
.\" ("CBOSS"), as part of the DARPA CHATS research program.
.\"
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
@ -94,7 +93,21 @@ This is primarily for services like
where the user's ability to retype
their own password
might be deemed sufficient.
.It Cm no_fake_prompts
Do not generate fake challenges for users who do not have an OPIE key.
Note that this can leak information to a hypothetical attacker about
who uses OPIE and who doesn't, but it can be useful on systems where
some users want to use OPIE but most don't.
.El
.Pp
Note that
.Nm
ignores the standard options
.Cm try_first_pass
and
.Cm use_first_pass ,
since a challenge must be generated before the user can submit a valid
response.
.Sh FILES
.Bl -tag -width ".Pa /etc/opiekeys" -compact
.It Pa /etc/opiekeys

View File

@ -4,6 +4,8 @@
* Based upon code Copyright 1998 Juniper Networks, Inc.
* Copyright (c) 2001 Networks Associates Technologies, Inc.
* All rights reserved.
* Copyright (c) 2002 Networks Associates Technologies, Inc.
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
@ -53,10 +55,14 @@ __FBSDID("$FreeBSD$");
#include <security/pam_modules.h>
#include "pam_mod_misc.h"
enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX };
enum {
PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
PAM_OPT_NO_FAKE_PROMPTS
};
static struct opttab other_options[] = {
{ "auth_as_self", PAM_OPT_AUTH_AS_SELF },
{ "no_fake_prompts", PAM_OPT_NO_FAKE_PROMPTS },
{ NULL, 0 }
};
@ -78,15 +84,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
PAM_LOG("Options processed");
/*
* It doesn't make sense to use a password that has already been
* typed in, since we haven't presented the challenge to the user
* yet.
*/
if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) ||
pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL))
PAM_RETURN(PAM_AUTH_ERR);
user = NULL;
if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
if ((pwd = getpwnam(getlogin())) == NULL)
@ -107,7 +104,23 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
*/
opiedisableaeh();
opiechallenge(&opie, (char *)user, challenge);
/*
* If the no_fake_prompts option was given, and the user
* doesn't have an OPIE key, just fail rather than present the
* user with a bogus OPIE challenge.
*/
/* XXX generates a const warning because of incorrect prototype */
if (opiechallenge(&opie, (char *)user, challenge) != 0 &&
pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL))
PAM_RETURN(PAM_AUTH_ERR);
/*
* It doesn't make sense to use a password that has already been
* typed in, since we haven't presented the challenge to the user
* yet, so clear the stored password.
*/
pam_set_item(pamh, PAM_AUTHTOK, NULL);
for (i = 0; i < 2; i++) {
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
retval = pam_get_pass(pamh, &response, prompt, &options);