On Mon, Jan 21, 2002 at 00:56:46 +0100, Dag-Erling Smorgrav wrote:
> What I can't understand is why OPIE is making that decision in the
> first place.  The only answer I can think of is that it was written
> before the advent of PAM, and tries to be a poor man's PAM.  That is
> not its place.

The basic OPIE/S-KEY idea under that was that normally only one-time
password is allowed, i.e. user is not allowed to type plaintext passwords
at all because connection treated as totally insecured one.

But for very special cases configured by sysadmin, like working in the 
same machine or trusted subnet, OPIE/S-KEY additionally allows plaintext 
password too, depending on its own configuration.

> In any case, if I understand what you're trying to do, it can be done
> by returning PAM_SUCCESS if OPIE authentication succeeded, PAM_IGNORE
> if it failed but Unix authentication is still allowed, and
> PAM_AUTH_ERR if OPIE failed and Unix authentication is *not* allowed.
> In that case, if you mark pam_opie "sufficient", pam_unix will run
> only if OPIE authentication failed but allowed Unix authentication to
> proceed.

It sounds good, I'll run a test case and inform you about results.

Andrey A. Chernov

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to