This fixes reflects pam_opieaccess addition.
Few comments:
ftpd: fallback was a hack and not needed now with new pam_opieaccess
login: I believe that there is no authtok change service provided by
pam_opie module, so remove
#password sufficient pam_opie.so no_warn
line
---
Andrey A. Chernov [EMAIL PROTECTED] writes:
This fixes reflects pam_opieaccess addition.
Augh, I just spent about an hour doing just that (and fixing some
other stuff too). Thanks anyway, I'll compare your patches to mine to
see if we disagree anywhere.
DES
--
Dag-Erling Smorgrav - [EMAIL
Andrey A. Chernov [EMAIL PROTECTED] writes:
This fixes reflects pam_opieaccess addition.
OK, comments:
1) there's no reason to have pam_opie commented out now, it won't do
anything unless OPIE is enabled for the target user. With my
patch, any user can use OPIE by simply running
On Mon, Jan 21, 2002 at 16:33:57 +0100, Dag-Erling Smorgrav wrote:
1) there's no reason to have pam_opie commented out now, it won't do
One reason still exist: all users (i.e. non-OPIE too) will see OTP
responses when pam_opie will be uncommented. It may leads to confusion or
wrong automated
On Mon, Jan 21, 2002 at 16:33:57 +0100, Dag-Erling Smorgrav wrote:
Patch attached.
I already comment always turning opie on in previous message, besides
that I don't understand one thing in your patch: why you not enable
pam_opie for su and not add pam_opieaccess there? It is enough useful
Andrey A. Chernov [EMAIL PROTECTED] writes:
I already comment always turning opie on in previous message, besides
that I don't understand one thing in your patch: why you not enable
pam_opie for su and not add pam_opieaccess there? It is enough useful
for sysadmin logging in as user via
On Mon, Jan 21, 2002 at 16:33:57 +0100, Dag-Erling Smorgrav wrote:
1) there's no reason to have pam_opie commented out now, it won't do
One reason still exist: all users (i.e. non-OPIE too) will see OTP
responses when pam_opie will be uncommented. It may leads to confusion or
wrong
On Mon, Jan 21, 2002 at 16:54:56 +0100, Dag-Erling Smorgrav wrote:
Ah, I thought pam_opie(8) ignored users that didn't have OPIE set up.
In fact, there is no consensus about that among standalone OPIE
applications, some acts with fake prompts, some - without.
One (among others) argument
Andrey A. Chernov [EMAIL PROTECTED] writes:
On Mon, Jan 21, 2002 at 16:54:56 +0100, Dag-Erling Smorgrav wrote:
One (among others) argument _for_ no fake prompts is that standalone
application once compiled with OPIE support can't dynamically turn off
fake prompts using some configuration. For
On Mon, Jan 21, 2002 at 17:24:28 +0100, Dag-Erling Smorgrav wrote:
- enable OPIE by default, with the no_fake_prompts option, leaving it
up to the admin to enable fake prompts if he so wishes
I vote for this one.
Please, I'm getting paid to do this :) Make yourself a cup of tea or
Andrey A. Chernov [EMAIL PROTECTED] writes:
On Mon, Jan 21, 2002 at 17:24:28 +0100, Dag-Erling Smorgrav wrote:
- enable OPIE by default, with the no_fake_prompts option, leaving it
up to the admin to enable fake prompts if he so wishes
I vote for this one.
I agree, for the reasons
On Mon, Jan 21, 2002 at 18:01:45 +0100, Dag-Erling Smorgrav wrote:
3) in pam_opie(8), return PAM_AUTH_ERR if no_fake_prompts was
specified and the user hasn't set up OPIE.
We can speed up pam_opie by saving one opielookup() call in this way:
/*
* Don't call the OPIE
On Mon, Jan 21, 2002 at 18:01:45 +0100, Dag-Erling Smorgrav wrote:
1) if pam_get_pass(), if the current token is non-null but empty,
ignore it. This allows a user to just press enter at an OPIE
prompt and still get a Unix prompt.
I am not sure I understand this fully, could you
Andrey A. Chernov [EMAIL PROTECTED] writes:
We can speed up pam_opie by saving one opielookup() call in this way:
True, except you forgot to call opieunlock() :)
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-current in
On Mon, Jan 21, 2002 at 18:33:22 +0100, Dag-Erling Smorgrav wrote:
Andrey A. Chernov [EMAIL PROTECTED] writes:
We can speed up pam_opie by saving one opielookup() call in this way:
True, except you forgot to call opieunlock() :)
No, when opiechallenge() return != 0, no opieunlock() needed
Andrey A. Chernov [EMAIL PROTECTED] writes:
I am not sure I understand this fully, could you please send two
typescripts (in the manner you do for login testing) with and without this
change?
Assuming no ~des/.opiealways,
- without the change:
des@des ~% login des
otp-md5 496 de6973 ext
Andrey A. Chernov [EMAIL PROTECTED] writes:
No, when opiechallenge() return != 0, no opieunlock() needed because
nothing is locked. Look at opiechallenge() sources, it not makes
lock on error.
Oh, you're right. I wasn't thinking.
Here are the (hopefully) final patches. Any final
On Mon, Jan 21, 2002 at 18:46:37 +0100, Dag-Erling Smorgrav wrote:
Assuming no ~des/.opiealways,
- without the change:
des@des ~% login des
otp-md5 496 de6973 ext
Password: enter
otp-md5 496 de6973 ext
Password [echo on]: enter
Login incorrect
login: argh!
It looks like right
On Mon, Jan 21, 2002 at 18:53:34 +0100, Dag-Erling Smorgrav wrote:
Here are the (hopefully) final patches. Any final objections before I
commit the lot?
Excepting get_pass() thing cause 3 prompts again, all looks right.
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to
On Mon, Jan 21, 2002 at 21:13:19 +0300, Andrey A. Chernov wrote:
On Mon, Jan 21, 2002 at 18:46:37 +0100, Dag-Erling Smorgrav wrote:
Assuming no ~des/.opiealways,
- without the change:
des@des ~% login des
otp-md5 496 de6973 ext
Password: enter
otp-md5 496 de6973 ext
Here are the (hopefully) final patches. Any final objections before I
commit the lot?
According to EyeBall Mk1, this is fine! :-)
I haven't extensively tested the code, but the methods used and the
design are very sound, I believe.
M
--
o Mark Murray
\_ FreeBSD Services Limited
On Mon, Jan 21, 2002 at 21:24:25 +0300, Andrey A. Chernov wrote:
- without the change:
des@des ~% login des
otp-md5 496 de6973 ext
Password: enter
otp-md5 496 de6973 ext
Password [echo on]: enter
Login incorrect
login: argh!
If OPIE is configured to allow Unix
Andrey A. Chernov [EMAIL PROTECTED] writes:
It looks like right variant. _By_default_ OPIE user is unable to enter
Unix password. You need to add
permit your.ip.addr 255.255.255.255
line to /etc/opieaccess to _allow_ Unix passwords on your machine.
Which I do...
# grep '^[^#]'
On Mon, Jan 21, 2002 at 19:40:40 +0100, Dag-Erling Smorgrav wrote:
Which I do...
# grep '^[^#]' /etc/opieaccess
permit 127.0.0.1 255.255.255.255
permit 10.0.0.1 255.255.255.0
Really there must be only address resolved from gethostname() call,
what f.e. su sets for PAM_RHOST on localhost.
Andrey A. Chernov [EMAIL PROTECTED] writes:
On Mon, Jan 21, 2002 at 19:40:40 +0100, Dag-Erling Smorgrav wrote:
# grep '^[^#]' /etc/opieaccess
permit 127.0.0.1 255.255.255.255
permit 10.0.0.1 255.255.255.0
Really there must be only address resolved from gethostname() call,
what f.e. su
25 matches
Mail list logo