Re: Patch for review (was Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd))
On Wed, Jul 10, 2002 at 19:55:19 +0200, Dag-Erling Smorgrav wrote: > Neither fix is correct. The correct solution is to remove the kludge > in auth-passwd.c that tries to use PAM for password authentication. I agree completely. My fix was quick & dirty workaround only and not planned as a full solution. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
"Andrey A. Chernov" wrote: > On Wed, Jul 10, 2002 at 14:17:51 +0200, Dag-Erling Smorgrav wrote: > > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > > Why what? Sysadmin allows PasswordAuthentication only. > > > > Why? > > Because he choose to not trust hosts keys which can be stolen especially > when not password-protected. Because it is documented way to configure > sshd. This scenario is very equivalent to normal Unix login procedure > excepting that passwords are not transferred as cleartext over the net. It > is most easy way for admin to teach end-users to use ssh without > (mis)dealing with hosts keys. I think he meant "Why doesn't it respect the "secure" flag on pty's in /etc/ttys, like all other conforming UNIX programs do?". -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Patch for review (was Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd))
Neither fix is correct. The correct solution is to remove the kludge in auth-passwd.c that tries to use PAM for password authentication. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Patch for review (was Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd))
On Wed, Jul 10, 2002 at 09:37:24 -0700, Gregory Neil Shapiro wrote: > The problem seems to be the addition of opieaccess to the PAM > configuration. Not to PAM, but more strictly, to PAMified sshd. Addition of it to other PAMified programs works as expected. > With that addition, in -CURRENT, unless a user creates > /etc/opieaccess and adds explicit "permit" lines, plain text passwords will > not be accepted if OPIE is in use at the site. If that file does not > exist, plain text passwords are explicitly denied. This breaks POLA. Yes. > However, if /usr/src/contrib/opie/libopie/accessfile.c is changed to accept > plain text passwords if the file does not exist (the normal case), then I > believe people will be happy. Alternatively, we need to start distributing > an /etc/opieaccess file that "permit"'s every connection by default. No. F.e. I have a rule in /etc/opieaccess which allow local plaintext passwords and disallow them for remote access. This is typical setup needed for most OPIE-aware programs. When pam_opie* added to sshd PasswordAuthenticate auth (by default), I can't login from remote, but still can from local. So, back to your proposal: 1) If /etc/opieaccess will not exists, other OPIE-aware programs will be broken (not tuned well for local/remote difference). 2) If /etc/opieaccess will have "permit" lines for all, other OPIE-aware programs will be broken (not tuned well for local/remote difference). BTW, changing documented OPIE way of things is not good from security reasons. 3) If /etc/opieaccess have correct "permit" line for local and not for remote, other OPIE-aware programs are happy, but sshd is broken (can't login from remote but can from local). So, your fix attempt really not fix things, only removing OPIE from PasswordAuthenticate fix them. OPIE not works with PasswordAuthenticate in any case, as DES himself confirms and what I say from the very beginning. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Patch for review (was Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd))
If I may suggest a fix that will probably make everyone happy... The problem seems to be the addition of opieaccess to the PAM configuration. With that addition, in -CURRENT, unless a user creates /etc/opieaccess and adds explicit "permit" lines, plain text passwords will not be accepted if OPIE is in use at the site. If that file does not exist, plain text passwords are explicitly denied. This breaks POLA. However, if /usr/src/contrib/opie/libopie/accessfile.c is changed to accept plain text passwords if the file does not exist (the normal case), then I believe people will be happy. Alternatively, we need to start distributing an /etc/opieaccess file that "permit"'s every connection by default. So, to fix this: 1. Either this one line change to /usr/src/contrib/opie/libopie/accessfile.c From: if (!(fp = fopen(PATH_ACCESS_FILE, "r"))) return 0; To: if (!(fp = fopen(PATH_ACCESS_FILE, "r"))) return 1; Or add /etc/opieaccess with the line: permit 0.0.0.0 0.0.0.0 2. In -STABLE, merge src/lib/libopie/Makefile revs 1.14 and 1.15 to RELENG_4. Then merge which ever fix you do in #1 above, then it is safe to revert src/etc/pam.conf rev 1.6.2.16. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Patch for review (was Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd))
On Wed, Jul 10, 2002 at 15:37:11 +0200, Dag-Erling Smorgrav wrote: > making any sense at all. If your config file really disables all > authentication methods except PasswordAuthentication, then OPIE > *never* worked for you, because it *cannot* be implemented over the > SSH PaswordAuthentication protocol. OPIE should be not enabled by default since according to your own words "it *cannot* be implemented over the SSH PaswordAuthentication protocol." PasswordAuthentication is very broken otherwise and not allows to log in. --- sshd.bakTue Jul 9 14:55:05 2002 +++ sshdWed Jul 10 19:16:54 2002 @@ -6,8 +6,8 @@ # auth auth requiredpam_nologin.so no_warn -auth sufficient pam_opie.so no_warn no_fake_prompts -auth requiredpam_opieaccess.so no_warn +#authsufficient pam_opie.so no_warn no_fake_prompts +#authrequiredpam_opieaccess.so no_warn auth requiredpam_unix.so no_warn try_first_pass # account -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
On Wed, Jul 10, 2002 at 15:37:11 +0200, Dag-Erling Smorgrav wrote: > Andrey, I'd really suggest you back off and chill down. You're not > making any sense at all. If your config file really disables all > authentication methods except PasswordAuthentication, then OPIE > *never* worked for you, because it *cannot* be implemented over the > SSH PaswordAuthentication protocol. To make it short: you broke PaswordAuthentication auth by inserting OPIE there (via /etc/pam.d/sshd). Do you understand/confirm this statement? Could you please _remove_ OPIE from PaswordAuthentication, since according to your own words "it *cannot* be implemented over the SSH PaswordAuthentication protocol" ? -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
On Wed, Jul 10, 2002 at 15:37:11 +0200, Dag-Erling Smorgrav wrote: > Andrey, I'd really suggest you back off and chill down. You're not > making any sense at all. If your config file really disables all > authentication methods except PasswordAuthentication, then OPIE > *never* worked for you, because it *cannot* be implemented over the > SSH PaswordAuthentication protocol. I say exact the same thing. 1) I not expect that OPIE will work at this place. 2) Moreover, I don't want OPIE here. 3) I don't need, don't want and not expect any OPIE, I want forget about it. But... 4) OPIE _automatically_ instered in the middle of auth against my will due to /etc/pam.d/sshd pam_opie* lines enabled by default. 5) OPIE is inserted inside the auth where it can't work in any case (inside PasswordAuthentication). 6) This bad OPIE insertion not documented anywhere in ssh manpages. > > Expect mass complaints when this goes to -stable, > > especially because of hidden nature of this bug. > > It *is* in -STABLE. Nobody's complained. Because of broken libopie (opieaccess). But someday -current fix will be merged. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > On Wed, Jul 10, 2002 at 15:02:43 +0200, Dag-Erling Smorgrav wrote: > > But why disable keyboard-interactive authentication? > There is nowhere documented that keyboard-interactive auth is required for > PasswordAuthentication. It works without it for ages. Sysadmins tends to > remove all unneded auth schemes to minimize compromise risk and left only > few or even one auth scheme. Andrey, I'd really suggest you back off and chill down. You're not making any sense at all. If your config file really disables all authentication methods except PasswordAuthentication, then OPIE *never* worked for you, because it *cannot* be implemented over the SSH PaswordAuthentication protocol. > Expect mass complaints when this goes to -stable, > especially because of hidden nature of this bug. It *is* in -STABLE. Nobody's complained. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
On Wed, Jul 10, 2002 at 15:02:43 +0200, Dag-Erling Smorgrav wrote: > > But why disable keyboard-interactive authentication? There is nowhere documented that keyboard-interactive auth is required for PasswordAuthentication. It works without it for ages. Sysadmins tends to remove all unneded auth schemes to minimize compromise risk and left only few or even one auth scheme. > Really, Andrey, I get the feeling that you've shot yourself in the > foot and are asking me why it hurts. To shot yourself an additional action needed. But without any additional action I have untouched config files which works for ages and stop working now due to additional undocumented keyboard-interactive auth requirement or commenting out pam_opie* requirement. I think I am not only one with this setup type. Expect mass complaints when this goes to -stable, especially because of hidden nature of this bug. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > On Wed, Jul 10, 2002 at 14:17:51 +0200, Dag-Erling Smorgrav wrote: > > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > > Why what? Sysadmin allows PasswordAuthentication only. > > Why? > Because he choose to not trust hosts keys which can be stolen especially > when not password-protected. But why disable keyboard-interactive authentication? Really, Andrey, I get the feeling that you've shot yourself in the foot and are asking me why it hurts. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
On Wed, Jul 10, 2002 at 14:17:51 +0200, Dag-Erling Smorgrav wrote: > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > Why what? Sysadmin allows PasswordAuthentication only. > > Why? Because he choose to not trust hosts keys which can be stolen especially when not password-protected. Because it is documented way to configure sshd. This scenario is very equivalent to normal Unix login procedure excepting that passwords are not transferred as cleartext over the net. It is most easy way for admin to teach end-users to use ssh without (mis)dealing with hosts keys. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > Why what? Sysadmin allows PasswordAuthentication only. Why? DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
On Wed, Jul 10, 2002 at 12:12:56 +0200, Dag-Erling Smorgrav wrote: > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > > Consider following setup: OPIE is active and allow Unix plaintext > > passwords for local users only (i.e. common way of using OPIE). Then lets > > disable all sshd auth methods excepting "PasswordAuthentication yes" in > > sshd_config. > > Why? Why what? Sysadmin allows PasswordAuthentication only. > > > 2nd bug is true: no OTP prompt in the scenario above. > > Because PasswordAuthentication is not OPIE. And I say so too. Why OPIE is in the middle (via PAM)? But you say, it is enhancement (apparently non-working due to missing OTP prompt). -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > Consider following setup: OPIE is active and allow Unix plaintext > passwords for local users only (i.e. common way of using OPIE). Then lets > disable all sshd auth methods excepting "PasswordAuthentication yes" in > sshd_config. Why? > 2nd bug is true: no OTP prompt in the scenario above. Because PasswordAuthentication is not OPIE. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
On Wed, Jul 10, 2002 at 03:26:02 +0400, Andrey A. Chernov wrote: > > 1) It is client-related, so even if you'll fix sshd to print OTP prompt, This is the question: who print password prompt? By very quick and incomplete look I see that it is client himself, not server, so it seems there is no way to bring needed OTP prompt to the user. Sorry, I am not sure about this statement, as I say, it appearse so by first look. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
On Tue, Jul 09, 2002 at 23:42:32 +0200, Dag-Erling Smorgrav wrote: > Seriously, can you please turn down the hysteria a couple of notches > and give me a proper bug report? On Tue, Jul 09, 2002 at 23:42:32 +0200, Dag-Erling Smorgrav wrote: > Seriously, can you please turn down the hysteria a couple of notches > and give me a proper bug report? This is not the hysteria, just short way to say things. I can try, at least, to reword my reports more verbose. Consider following setup: OPIE is active and allow Unix plaintext passwords for local users only (i.e. common way of using OPIE). Then lets disable all sshd auth methods excepting "PasswordAuthentication yes" in sshd_config. All other sshd and PAM things are in the default state. For remote ssh logins we have two bugs in that scenario, one is questionable and another one is true. 1st bug is questionable: violating documented ssh way of turning OPIE on. I'll return here later and now will mention only one thing: you say that we have an enhancement here, but this enhancement is not working, because of -- 2nd bug is true: no OTP prompt in the scenario above. I.e. even if user want to enter OPIE password, he can't do that because he can't calculate it because he not see something like otp-md5 9960 pa4106 ext [EMAIL PROTECTED] password: but see only: [EMAIL PROTECTED] password: (no OTP prompt). Now lets return to 1st bug. 1) It is client-related, so even if you'll fix sshd to print OTP prompt, many ssh clients (f.e. Windows ones) not understand this new prompt, i.e. not display it at all or even produce fault. 2) One of the main purposes of OTP is to avoid sending cleartext password over net, but ssh already not does that. When user calls ssh from secure end point, using OTP gains nothing unlike for other programs, only slow entering process down (calculating response). This two reasons means that it will be better to not turn OPIE on for sshd by default. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: OPIE auth broken too (was Re: PasswordAuthentication not works in sshd)
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes: > BTW, OPIE auth broken too that way. In any ssh client I use I see _no_ > OPIE prompt like: [...] You're jinxed. You probably offended an evil spirit in a previous life and it has come back to haunt you. Seriously, can you please turn down the hysteria a couple of notches and give me a proper bug report? DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
