freebsd security - Jun 2003 - Problems with the pam_opieaccess PAM module

Hi,

I've configured opie (one time passwords) under FreeBSD and I came
across the following problem.

It looks like libpam does not stop the authentication process when
a 'requisite' module fails. I find this strange as the pam
'requisite'
is defined in the man pages as: requisite - failure of such a PAM
results in the immediate termination of the authentication process;

Here is what I did.

I've setup opie for my account.  I've configured pam_opieaccess
(/etc/opieaccess) to allow my home network to use static passwords:

permit 10.0.0.0 255.255.255.0
 
And in /etc/pam.conf I added:

sshd    auth    required      pam_opie.so
sshd    auth    requisite     pam_opieaccess.so
sshd    auth    required      /usr/lib/pam_krb5.so.1     try_first_pass
forwardable

The module pam_opieaccess is supposed to send a PAM_SUCCESS under
the following conditions:

<from the man page of pam_opieaccess>

1.   The user does not have OPIE enabled
2.   The user has OPIE enabled, and the remote host is listed as a
     trusted host in /etc/opieaccess, and the user does not have a file
     named opiealways in his home directory.

</from the man page of pam_opieaccess>

I read this as: If pam_opieaccess fails it returns PAM_AUTH_ERR and
the authentication process should stop.

However when it impent this sshd or the pam library does not take
the PAM_AUTH_ERR and stop the authentication process but it just
continues to with the pam_krb5 module. (btw I typed the wrong pw
in the example bellow).

eunoc25:[~] % ssh banzai
otp-md5 442 ba4387 ext
Password: 
pam_opieaccess: pam_sm_authenticate: Refused; remote host is not in opieaccess
Last login: Fri Jun 27 16:26:41 2003 from eunoc25
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.
FreeBSD 4.8-STABLE (BANZAI) #0: Thu Jun  5 23:39:01 CEST 2003

The 'pam_opieaccess: pam_sm_authenticate: Refused; remote host is
not in opieaccess' indicates that the pam module failed. But it did
let me log in. (brrrr)

src/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c
...
        PAM_VERBOSE_ERROR("Refused; remote host is not in
opieaccess");

        return (PAM_AUTH_ERR);
...

I'm not sure if this is a bug but the results may be very dangerous.
It looks like libpam does not stop the authentication process when
a 'requisite' module fails.  I'm running 4.8-STABLE.

Regards,

 - Brendan

Brendan Bank <brendan@gnarst.net> writes:
> And in /etc/pam.conf I added:
>
> sshd    auth    required      pam_opie.so
> sshd    auth    requisite     pam_opieaccess.so
> sshd    auth    required      /usr/lib/pam_krb5.so.1     try_first_pass
forwardable
Where in /etc/pam.conf?  There are already sshd lines in pam.conf, and
things may not work as you expect if you merely added your lines
rather than replace what was already there.

BTW, I use the following:

root@flood ~# grep sshd /etc/pam.conf
#sshd   auth    sufficient      pam_skey.so
sshd    auth    sufficient      pam_opie.so                     no_fake_prompts
sshd    auth    requisite       pam_opieaccess.so
#sshd   auth    sufficient      pam_kerberosIV.so               try_first_pass
#sshd   auth    sufficient      pam_krb5.so                     try_first_pass
sshd    auth    required        pam_unix.so                     try_first_pass
sshd    account required        pam_unix.so
sshd    password required       pam_permit.so
sshd    session required        pam_permit.so

and it works perfectly.

DES
-- 
Dag-Erling Sm?rgrav - des@des.no