"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> On Mon, Jan 21, 2002 at 19:40:40 +0100, Dag-Erling Smorgrav wrote:
> > # grep '^[^#]' /etc/opieaccess
> > permit 127.0.0.1 255.255.255.255
> > permit 10.0.0.1 255.255.255.0
> Really there must be only address resolved from gethostname() call,
> wha
On Mon, Jan 21, 2002 at 19:40:40 +0100, Dag-Erling Smorgrav wrote:
>
> Which I do...
>
> # grep '^[^#]' /etc/opieaccess
> permit 127.0.0.1 255.255.255.255
> permit 10.0.0.1 255.255.255.0
Really there must be only address resolved from gethostname() call,
what f.e. "su" sets for PAM_RHOST on loc
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> It looks like right variant. _By_default_ OPIE user is unable to enter
> Unix password. You need to add
> permit 255.255.255.255
> line to /etc/opieaccess to _allow_ Unix passwords on your machine.
Which I do...
# grep '^[^#]' /etc/opieaccess
p
On Mon, Jan 21, 2002 at 21:24:25 +0300, Andrey A. Chernov wrote:
> > > - without the change:
> > >
> > > des@des ~% login des
> > > otp-md5 496 de6973 ext
> > > Password:
> > > otp-md5 496 de6973 ext
> > > Password [echo on]:
> > > Login incorrect
> > > login:
>
> If OPIE is configured to al
> Here are the (hopefully) final patches. Any final objections before I
> commit the lot?
According to EyeBall Mk1, this is fine! :-)
I haven't extensively tested the code, but the methods used and the
design are very sound, I believe.
M
--
o Mark Murray
\_ FreeBSD Services Limited
On Mon, Jan 21, 2002 at 21:13:19 +0300, Andrey A. Chernov wrote:
> On Mon, Jan 21, 2002 at 18:46:37 +0100, Dag-Erling Smorgrav wrote:
> >
> > Assuming no ~des/.opiealways,
> >
> > - without the change:
> >
> > des@des ~% login des
> > otp-md5 496 de6973 ext
> > Password:
> > otp-md5 496 de697
On Mon, Jan 21, 2002 at 18:53:34 +0100, Dag-Erling Smorgrav wrote:
>
> Here are the (hopefully) final patches. Any final objections before I
> commit the lot?
Excepting get_pass() thing cause 3 prompts again, all looks right.
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail
On Mon, Jan 21, 2002 at 18:46:37 +0100, Dag-Erling Smorgrav wrote:
>
> Assuming no ~des/.opiealways,
>
> - without the change:
>
> des@des ~% login des
> otp-md5 496 de6973 ext
> Password:
> otp-md5 496 de6973 ext
> Password [echo on]:
> Login incorrect
> login:
It looks like right varian
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> No, when opiechallenge() return != 0, no opieunlock() needed because
> nothing is locked. Look at opiechallenge() sources, it not makes
> lock on error.
Oh, you're right. I wasn't thinking.
Here are the (hopefully) final patches. Any final ob
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> I am not sure I understand this fully, could you please send two
> typescripts (in the manner you do for login testing) with and without this
> change?
Assuming no ~des/.opiealways,
- without the change:
des@des ~% login des
otp-md5 496 de6973
On Mon, Jan 21, 2002 at 18:33:22 +0100, Dag-Erling Smorgrav wrote:
> "Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> > We can speed up pam_opie by saving one opielookup() call in this way:
>
> True, except you forgot to call opieunlock() :)
No, when opiechallenge() return != 0, no opieunlock()
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> We can speed up pam_opie by saving one opielookup() call in this way:
True, except you forgot to call opieunlock() :)
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-curren
On Mon, Jan 21, 2002 at 18:01:45 +0100, Dag-Erling Smorgrav wrote:
>
> 1) if pam_get_pass(), if the current token is non-null but empty,
> ignore it. This allows a user to just press enter at an OPIE
> prompt and still get a Unix prompt.
I am not sure I understand this fully, could you
On Mon, Jan 21, 2002 at 18:01:45 +0100, Dag-Erling Smorgrav wrote:
> 3) in pam_opie(8), return PAM_AUTH_ERR if no_fake_prompts was
> specified and the user hasn't set up OPIE.
We can speed up pam_opie by saving one opielookup() call in this way:
/*
* Don't call the OPIE a
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> On Mon, Jan 21, 2002 at 17:24:28 +0100, Dag-Erling Smorgrav wrote:
> > - enable OPIE by default, with the no_fake_prompts option, leaving it
> >up to the admin to enable fake prompts if he so wishes
> I vote for this one.
I agree, for the rea
On Mon, Jan 21, 2002 at 17:24:28 +0100, Dag-Erling Smorgrav wrote:
> - enable OPIE by default, with the no_fake_prompts option, leaving it
>up to the admin to enable fake prompts if he so wishes
I vote for this one.
> Please, I'm getting paid to do this :) Make yourself a cup of tea or
> s
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> On Mon, Jan 21, 2002 at 16:54:56 +0100, Dag-Erling Smorgrav wrote:
> One (among others) argument _for_ "no fake prompts" is that standalone
> application once compiled with OPIE support can't dynamically turn off
> fake prompts using some configura
On Mon, Jan 21, 2002 at 16:54:56 +0100, Dag-Erling Smorgrav wrote:
> Ah, I thought pam_opie(8) ignored users that didn't have OPIE set up.
In fact, there is no consensus about that among standalone OPIE
applications, some acts with fake prompts, some - without.
One (among others) argument _for
> On Mon, Jan 21, 2002 at 16:33:57 +0100, Dag-Erling Smorgrav wrote:
> >
> > 1) there's no reason to have pam_opie commented out now, it won't do
>
> One reason still exist: all users (i.e. non-OPIE too) will see OTP
> responses when pam_opie will be uncommented. It may leads to confusion or
> w
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> I already comment "always turning opie on" in previous message, besides
> that I don't understand one thing in your patch: why you not enable
> pam_opie for "su" and not add pam_opieaccess there? It is enough useful
> for sysadmin logging in as use
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> One reason still exist: all users (i.e. non-OPIE too) will see OTP
> responses when pam_opie will be uncommented. It may leads to confusion or
> wrong automated scripts processing.
Ah, I thought pam_opie(8) ignored users that didn't have OPIE set
On Mon, Jan 21, 2002 at 16:33:57 +0100, Dag-Erling Smorgrav wrote:
>
> Patch attached.
I already comment "always turning opie on" in previous message, besides
that I don't understand one thing in your patch: why you not enable
pam_opie for "su" and not add pam_opieaccess there? It is enough usef
On Mon, Jan 21, 2002 at 16:33:57 +0100, Dag-Erling Smorgrav wrote:
>
> 1) there's no reason to have pam_opie commented out now, it won't do
One reason still exist: all users (i.e. non-OPIE too) will see OTP
responses when pam_opie will be uncommented. It may leads to confusion or
wrong automated
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> This fixes reflects pam_opieaccess addition.
OK, comments:
1) there's no reason to have pam_opie commented out now, it won't do
anything unless OPIE is enabled for the target user. With my
patch, any user can use OPIE by simply running op
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> This fixes reflects pam_opieaccess addition.
Augh, I just spent about an hour doing just that (and fixing some
other stuff too). Thanks anyway, I'll compare your patches to mine to
see if we disagree anywhere.
DES
--
Dag-Erling Smorgrav - [EMA
25 matches
Mail list logo