mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-19 10:53:58 +00:00
Further changes to allow enabling pam_opie(8) by default:
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before challenging the user. These options are meaningless for pam_opie(8) since the user can't possibly know the right response before she sees the challenge. - Introduce the no_fake_prompts option. If this option is set, pam_opie(8) will fail - rather than present a bogus challenge - if the target user does not have an OPIE key. With this option, users who haven't set up OPIE won't have to wonder what that "weird otp-md5 s**t" means :) Reviewed by: ache, markm Sponsored by: DARPA, NAI Labs
This commit is contained in:
parent
f2c44ccec8
commit
03adba96a0
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=89618
@ -8,7 +8,6 @@
|
||||
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
.\" ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
.\"
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
@ -94,7 +93,21 @@ This is primarily for services like
|
||||
where the user's ability to retype
|
||||
their own password
|
||||
might be deemed sufficient.
|
||||
.It Cm no_fake_prompts
|
||||
Do not generate fake challenges for users who do not have an OPIE key.
|
||||
Note that this can leak information to a hypothetical attacker about
|
||||
who uses OPIE and who doesn't, but it can be useful on systems where
|
||||
some users want to use OPIE but most don't.
|
||||
.El
|
||||
.Pp
|
||||
Note that
|
||||
.Nm
|
||||
ignores the standard options
|
||||
.Cm try_first_pass
|
||||
and
|
||||
.Cm use_first_pass ,
|
||||
since a challenge must be generated before the user can submit a valid
|
||||
response.
|
||||
.Sh FILES
|
||||
.Bl -tag -width ".Pa /etc/opiekeys" -compact
|
||||
.It Pa /etc/opiekeys
|
||||
|
@ -4,6 +4,8 @@
|
||||
* Based upon code Copyright 1998 Juniper Networks, Inc.
|
||||
* Copyright (c) 2001 Networks Associates Technologies, Inc.
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2002 Networks Associates Technologies, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
* ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
@ -53,10 +55,14 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/pam_modules.h>
|
||||
#include "pam_mod_misc.h"
|
||||
|
||||
enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX };
|
||||
enum {
|
||||
PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
|
||||
PAM_OPT_NO_FAKE_PROMPTS
|
||||
};
|
||||
|
||||
static struct opttab other_options[] = {
|
||||
{ "auth_as_self", PAM_OPT_AUTH_AS_SELF },
|
||||
{ "no_fake_prompts", PAM_OPT_NO_FAKE_PROMPTS },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
|
||||
@ -78,15 +84,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
/*
|
||||
* It doesn't make sense to use a password that has already been
|
||||
* typed in, since we haven't presented the challenge to the user
|
||||
* yet.
|
||||
*/
|
||||
if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) ||
|
||||
pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL))
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
|
||||
user = NULL;
|
||||
if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
|
||||
if ((pwd = getpwnam(getlogin())) == NULL)
|
||||
@ -107,7 +104,23 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
*/
|
||||
opiedisableaeh();
|
||||
|
||||
opiechallenge(&opie, (char *)user, challenge);
|
||||
/*
|
||||
* If the no_fake_prompts option was given, and the user
|
||||
* doesn't have an OPIE key, just fail rather than present the
|
||||
* user with a bogus OPIE challenge.
|
||||
*/
|
||||
/* XXX generates a const warning because of incorrect prototype */
|
||||
if (opiechallenge(&opie, (char *)user, challenge) != 0 &&
|
||||
pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL))
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
|
||||
/*
|
||||
* It doesn't make sense to use a password that has already been
|
||||
* typed in, since we haven't presented the challenge to the user
|
||||
* yet, so clear the stored password.
|
||||
*/
|
||||
pam_set_item(pamh, PAM_AUTHTOK, NULL);
|
||||
|
||||
for (i = 0; i < 2; i++) {
|
||||
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
|
||||
retval = pam_get_pass(pamh, &response, prompt, &options);
|
||||
|
Loading…
Reference in New Issue
Block a user