"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> The basic OPIE/S-KEY idea under that was that normally only one-time
> password is allowed, i.e. user is not allowed to type plaintext passwords
> at all because connection treated as totally insecured one.
> But for very special cases configured by sysadmin, like working in the
> same machine or trusted subnet, OPIE/S-KEY additionally allows plaintext
> password too, depending on its own configuration.
That's what PAM is for. If fixed (not necessary plaintext!) passwords
are allowed, the admin will mark pam_opie as "sufficient" and place
pam_unix below it; if they're not, he'll just remove pam_unix.
The current system, BTW, leaves the policy in the hands of the user,
as she can create or remove ~/.opie_always at will. A security policy
which is based on letting the user decide what is sufficient
authentication and what is not is not a proper security policy.
> > In any case, if I understand what you're trying to do, it can be done
> > by [...]
> It sounds good, I'll run a test case and inform you about results.
Actually, that idea won't work, because PAM will ignore PAM_AUTH_ERR
from a "sufficient" module. A "requisite" helper module, placed after
pam_opie, which fails if ~/.opie_always exists would do the trick, if
one really wanted this.
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message