On Wed, 9 Mar 2011 09:51, mbox@ wrote:
I think the way pam_opieaccess behaves is like "leave a security breach
by default". I think it would be more usefull if it returned PAM_SUCCESS
when:
1. The user does not have OPIE enabled and the remote host is listed as
a trusted host in /etc/opieaccess.
2. The user has OPIE enabled and the remote host is listed as a trusted
host in /etc/opieaccess, and the user does not have a file
named .opiealways in his home directory.
Or at least this should be an option for pam_opieaccess.
Does changing the following in /etc/pam.d/sshd help ?
# auth (edited for length)
-auth sufficient pam_opie.so no_warn no_fake_prompts
+auth binding pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
There might be some other combinations that would change this behavior for
you but you will have to consult with pam.conf(5) as this is a pretty big
beast to sum up here.
Tweaking PAM in some situations could lead you to undesired results.
Putting something into place of a script that runs out of /etc/profile or
/etc/shrc or whatever that greps the contents of /etc/opiekeys and prompts
the user to run the correct commands or runs them the first time might
just be a better long-term solution to enforcing they use OPIE.
/etc/profile
grep "^${LOGNAME} " /etc/opiekeys ||/usr/bin/opiepasswd -c
...
Anyway I'm sure some other shell-masters@ will chime in at some point and
possibly share what they have done in the past/present/future and offer up
some real good insight on this.
VPN access to the box(s) could be another solution where everyone is local
and you don't need OPIE at all. \o/
--
Regards,
J. Hellenthal
(0x89D8547E)
JJH48-ARIN
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
