If I may suggest a fix that will probably make everyone happy...

The problem seems to be the addition of opieaccess to the PAM
configuration.  With that addition, in -CURRENT, unless a user creates
/etc/opieaccess and adds explicit "permit" lines, plain text passwords will
not be accepted if OPIE is in use at the site.  If that file does not
exist, plain text passwords are explicitly denied.  This breaks POLA.

However, if /usr/src/contrib/opie/libopie/accessfile.c is changed to accept
plain text passwords if the file does not exist (the normal case), then I
believe people will be happy.  Alternatively, we need to start distributing
an /etc/opieaccess file that "permit"'s every connection by default.

So, to fix this:

1. Either this one line change to /usr/src/contrib/opie/libopie/accessfile.c 


  if (!(fp = fopen(PATH_ACCESS_FILE, "r")))
    return 0;


  if (!(fp = fopen(PATH_ACCESS_FILE, "r")))
    return 1;

   Or add /etc/opieaccess with the line:


2. In -STABLE, merge src/lib/libopie/Makefile revs 1.14 and 1.15 to
   RELENG_4.  Then merge which ever fix you do in #1 above, then it is safe
   to revert src/etc/pam.conf rev

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to