On Wed, Jul 10, 2002 at 12:12:56 +0200, Dag-Erling Smorgrav wrote:
Andrey A. Chernov [EMAIL PROTECTED] writes:
Consider following setup: OPIE is active and allow Unix plaintext
passwords for local users only (i.e. common way of using OPIE). Then lets
disable all sshd auth methods excepting
Andrey A. Chernov [EMAIL PROTECTED] writes:
Why what? Sysadmin allows PasswordAuthentication only.
Why?
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message
On Wed, Jul 10, 2002 at 14:17:51 +0200, Dag-Erling Smorgrav wrote:
Andrey A. Chernov [EMAIL PROTECTED] writes:
Why what? Sysadmin allows PasswordAuthentication only.
Why?
Because he choose to not trust hosts keys which can be stolen especially
when not password-protected. Because it is
Andrey A. Chernov [EMAIL PROTECTED] writes:
On Wed, Jul 10, 2002 at 14:17:51 +0200, Dag-Erling Smorgrav wrote:
Andrey A. Chernov [EMAIL PROTECTED] writes:
Why what? Sysadmin allows PasswordAuthentication only.
Why?
Because he choose to not trust hosts keys which can be stolen especially
On Wed, Jul 10, 2002 at 15:02:43 +0200, Dag-Erling Smorgrav wrote:
But why disable keyboard-interactive authentication?
There is nowhere documented that keyboard-interactive auth is required for
PasswordAuthentication. It works without it for ages. Sysadmins tends to
remove all unneded auth
Andrey A. Chernov [EMAIL PROTECTED] writes:
On Wed, Jul 10, 2002 at 15:02:43 +0200, Dag-Erling Smorgrav wrote:
But why disable keyboard-interactive authentication?
There is nowhere documented that keyboard-interactive auth is required for
PasswordAuthentication. It works without it for
On Wed, Jul 10, 2002 at 15:37:11 +0200, Dag-Erling Smorgrav wrote:
Andrey, I'd really suggest you back off and chill down. You're not
making any sense at all. If your config file really disables all
authentication methods except PasswordAuthentication, then OPIE
*never* worked for you,
On Wed, Jul 10, 2002 at 15:37:11 +0200, Dag-Erling Smorgrav wrote:
Andrey, I'd really suggest you back off and chill down. You're not
making any sense at all. If your config file really disables all
authentication methods except PasswordAuthentication, then OPIE
*never* worked for you,
On Wed, Jul 10, 2002 at 15:37:11 +0200, Dag-Erling Smorgrav wrote:
making any sense at all. If your config file really disables all
authentication methods except PasswordAuthentication, then OPIE
*never* worked for you, because it *cannot* be implemented over the
SSH PaswordAuthentication
If I may suggest a fix that will probably make everyone happy...
The problem seems to be the addition of opieaccess to the PAM
configuration. With that addition, in -CURRENT, unless a user creates
/etc/opieaccess and adds explicit permit lines, plain text passwords will
not be accepted if OPIE
On Wed, Jul 10, 2002 at 09:37:24 -0700, Gregory Neil Shapiro wrote:
The problem seems to be the addition of opieaccess to the PAM
configuration.
Not to PAM, but more strictly, to PAMified sshd. Addition of it to other
PAMified programs works as expected.
With that addition, in -CURRENT,
Neither fix is correct. The correct solution is to remove the kludge
in auth-passwd.c that tries to use PAM for password authentication.
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in the body of the message
Andrey A. Chernov wrote:
On Wed, Jul 10, 2002 at 14:17:51 +0200, Dag-Erling Smorgrav wrote:
Andrey A. Chernov [EMAIL PROTECTED] writes:
Why what? Sysadmin allows PasswordAuthentication only.
Why?
Because he choose to not trust hosts keys which can be stolen especially
when not
On Wed, Jul 10, 2002 at 19:55:19 +0200, Dag-Erling Smorgrav wrote:
Neither fix is correct. The correct solution is to remove the kludge
in auth-passwd.c that tries to use PAM for password authentication.
I agree completely. My fix was quick dirty workaround only and not
planned as a full
On Tue, Jul 02, 2002 at 14:01:35 +0200, Dag-Erling Smorgrav wrote:
Andrey A. Chernov [EMAIL PROTECTED] writes:
I just upgrade to recent -current sshd and found that
PasswordAuthentication not works anymore (always fails, with right
password too). I not yet dig deeper at this moment, just
On Tue, Jul 09, 2002 at 16:49:44 +0400, Andrey A. Chernov wrote:
It not helps. Moreover, I found that I am able to do 'ssh localhost' but
unable to do ssh from any other machine, with exact the same password.
DEBUG3 output clearly indicates that this error is related to PAM somehow:
Andrey A. Chernov [EMAIL PROTECTED] writes:
It not helps. Moreover, I found that I am able to do 'ssh localhost' but
unable to do ssh from any other machine, with exact the same password.
Try commenting out the pam_opieaccess line in /etc/pam.d/sshd.
DES
--
Dag-Erling Smorgrav - [EMAIL
On Tue, Jul 09, 2002 at 15:16:01 +0200, Dag-Erling Smorgrav wrote:
Andrey A. Chernov [EMAIL PROTECTED] writes:
It not helps. Moreover, I found that I am able to do 'ssh localhost' but
unable to do ssh from any other machine, with exact the same password.
Try commenting out the
Andrey A. Chernov [EMAIL PROTECTED] writes:
Normally OPIE not accepts plain Unix password remotely, and it is right,
because of cleartext. But it is wrong for sshd, because no cleartext
sended for PasswordAuth. It seems that opieaccess in pam.d/sshd should not
fails by default or maybe even
On Tue, Jul 09, 2002 at 15:59:04 +0200, Dag-Erling Smorgrav wrote:
What if the client is untrusted? Do you find it reasonable to allow
users to type their password on an untrusted client? Many of our
users use OPIE for precisely this scenario - reading their mail on an
untrusted machine in
On Tue, Jul 09, 2002 at 15:59:04 +0200, Dag-Erling Smorgrav wrote:
What if the client is untrusted? Do you find it reasonable to allow
users to type their password on an untrusted client? Many of our
users use OPIE for precisely this scenario - reading their mail on an
untrusted machine in
Normally OPIE not accepts plain Unix password remotely, and it is right,
because of cleartext. But it is wrong for sshd, because no cleartext
sended for PasswordAuth. It seems that opieaccess in pam.d/sshd should not
fails by default or maybe even not present there.
des What if the client is
On Tue, Jul 09, 2002 at 09:46:40 -0700, Gregory Neil Shapiro wrote:
one of the authentication techniques early on). Also, pam_opieaccess is
broken at the moment anyway as /usr/src/contrib/opie/libopie/accessfile.c
is not compiled with PATH_ACCESS_FILE defined. The maintainer of OPIE
ache == Andrey A Chernov [EMAIL PROTECTED] writes:
ache On Tue, Jul 09, 2002 at 09:46:40 -0700, Gregory Neil Shapiro wrote:
one of the authentication techniques early on). Also, pam_opieaccess is
broken at the moment anyway as /usr/src/contrib/opie/libopie/accessfile.c
is not compiled
Andrey A. Chernov [EMAIL PROTECTED] writes:
I understand that. What I say - it must be not in default setup because
break normal password auth for ssh.
Only for users who have set up an OPIE password, but explicitly choose
not to use OPIE.
I.e. I not set
Andrey A. Chernov [EMAIL PROTECTED] writes:
BTW, OPIE auth broken too that way. In any ssh client I use I see _no_
OPIE prompt like: [...]
You're jinxed. You probably offended an evil spirit in a previous
life and it has come back to haunt you.
Seriously, can you please turn down the
On Tue, Jul 09, 2002 at 23:42:32 +0200, Dag-Erling Smorgrav wrote:
Seriously, can you please turn down the hysteria a couple of notches
and give me a proper bug report?
On Tue, Jul 09, 2002 at 23:42:32 +0200, Dag-Erling Smorgrav wrote:
Seriously, can you please turn down the hysteria a
Thus spake Gregory Neil Shapiro [EMAIL PROTECTED]:
Interestingly enough, pam_opieaccess doesn't help at all in this
situation. The remote user is still prompted for their plain text
password, it just isn't accepted. However, the damage is already done -- a
compromised ssh client would have
On Wed, Jul 10, 2002 at 03:26:02 +0400, Andrey A. Chernov wrote:
1) It is client-related, so even if you'll fix sshd to print OTP prompt,
This is the question: who print password prompt? By very quick and
incomplete look I see that it is client himself, not server, so it seems
there is no way
I just upgrade to recent -current sshd and found that
PasswordAuthentication not works anymore (always fails, with right
password too). I not yet dig deeper at this moment, just FYI.
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe
Andrey A. Chernov [EMAIL PROTECTED] writes:
I just upgrade to recent -current sshd and found that
PasswordAuthentication not works anymore (always fails, with right
password too). I not yet dig deeper at this moment, just FYI.
Try this:
31 matches
Mail list logo