freebsd stable - Nov 2003 - opie bug or ..?

Hi. I have a question related to freebsd opie implementation.
I am running 4.9-RELEASE and I've tried to setup opie.

*** 1 *** opiepasswd/opiekey

I've added user using `opiepasswd -c "ssa"`

   mx2# opiepasswd -c "ssa"
   Adding ssa:
   Only use this method from the console; NEVER from remote. If you are using
   telnet, xterm, or a dial-in, type ^C now or exit with no password.
   Then run opiepasswd without the -c parameter.
   Using MD5 to compute responses.
   Enter new secret pass phrase:
   Again new secret pass phrase:

  ID ssa OTP key is 499 mx1759
  WADE IFFY LAWN MEAD DANG BUB
  mx2#

And now I want to change it

   mx2# opiepasswd "ssa"
   Updating ssa:
   You need the response from an OTP generator.
   New secret pass phrase:
          otp-md5 499 mx17
          Response:

You see that seed equal 'mx17', using opiekey:

   mx2# opiekey 499 mx17
   Using the MD5 algorithm to compute response.
   Seeds must be greater than 5 characters long.
   mx2#

So it is not possible to update password in /etc/opiekey file, you
have to edit it manually and that add password again via 'opiepasswd'.



*** 2***  opiekey

opiekey could not generate response for zero sequence number when it
specified directly:

   mx2# opiekey -a 0 vo6199
   Using the MD5 algorithm to compute response.
   Sequence number 0 is not positive.

but it works fine in case of:

   mx2# opiekey -n5 1 vo6199
   Using the MD5 algorithm to compute response.
   Reminder: Don't use opiekey from telnet or dial-in sessions.
   Enter secret pass phrase:
   0: OAK SEW CULT FALL AX WAND
   1: BOUT AID SOOT BUT SIT BILK
   mx2#

*** 3 *** pam_opie.so, the most interesting thing

After successful login with 0 sequence number, trying to do it again
(sequence number has been decreased, right?)

   mx2# ssh ssa@192.168.90.250
   otp-md5 -1 (null) ext
   Password:

Is  it  impossible  to calculate response to '-1' so trying to use any
password  to  skip  pam_opie  and login with next pam module. But here
login   hangs   and  there  is  _no_way_  to  login  remotely  because
pam_opie.so is the top line of pam.conf

After about 1-2 minutes timeout it just says "Connection closed by
192.168.90.250"


*** 4 *** now just a question

(In  case  of fix) After 0 or 1 seq. number it should recount from the
beginning,  for  example  from  499,  but  I think that seed should be
automatically  changed  in that case for next 500 iterations otherwise
that is not one-time-passwords



So...  I think that is not good ... or am I mistaken?


-- 
Best regards, Sergey

Forgive the top-post -- I have independently verified this,
suggest you open a PR.  This is definitely a bug in opiepasswd.
It is also present in RELENG_4_8.

Regards,  Michael

Sergey Sysoev wrote:
> Hi. I have a question related to freebsd opie implementation.
> I am running 4.9-RELEASE and I've tried to setup opie.
> 
> *** 1 *** opiepasswd/opiekey
> 
> I've added user using `opiepasswd -c "ssa"`
> 
>    mx2# opiepasswd -c "ssa"
>    Adding ssa:
>    Only use this method from the console; NEVER from remote. If you are
using
>    telnet, xterm, or a dial-in, type ^C now or exit with no password.
>    Then run opiepasswd without the -c parameter.
>    Using MD5 to compute responses.
>    Enter new secret pass phrase:
>    Again new secret pass phrase:
> 
>   ID ssa OTP key is 499 mx1759
>   WADE IFFY LAWN MEAD DANG BUB
>   mx2#
> 
> And now I want to change it
> 
>    mx2# opiepasswd "ssa"
>    Updating ssa:
>    You need the response from an OTP generator.
>    New secret pass phrase:
>           otp-md5 499 mx17
>           Response:
> 
> You see that seed equal 'mx17', using opiekey:
> 
>    mx2# opiekey 499 mx17
>    Using the MD5 algorithm to compute response.
>    Seeds must be greater than 5 characters long.
>    mx2#
> 
> So it is not possible to update password in /etc/opiekey file, you
> have to edit it manually and that add password again via
'opiepasswd'.
> 
> 
> 
> *** 2***  opiekey
> 
> opiekey could not generate response for zero sequence number when it
> specified directly:
> 
>    mx2# opiekey -a 0 vo6199
>    Using the MD5 algorithm to compute response.
>    Sequence number 0 is not positive.
> 
> but it works fine in case of:
> 
>    mx2# opiekey -n5 1 vo6199
>    Using the MD5 algorithm to compute response.
>    Reminder: Don't use opiekey from telnet or dial-in sessions.
>    Enter secret pass phrase:
>    0: OAK SEW CULT FALL AX WAND
>    1: BOUT AID SOOT BUT SIT BILK
>    mx2#
> 
> *** 3 *** pam_opie.so, the most interesting thing
> 
> After successful login with 0 sequence number, trying to do it again
> (sequence number has been decreased, right?)
> 
>    mx2# ssh ssa@192.168.90.250
>    otp-md5 -1 (null) ext
>    Password:
> 
> Is  it  impossible  to calculate response to '-1' so trying to use
any
> password  to  skip  pam_opie  and login with next pam module. But here
> login   hangs   and  there  is  _no_way_  to  login  remotely  because
> pam_opie.so is the top line of pam.conf
> 
> After about 1-2 minutes timeout it just says "Connection closed by
192.168.90.250"
> 
> 
> *** 4 *** now just a question
> 
> (In  case  of fix) After 0 or 1 seq. number it should recount from the
> beginning,  for  example  from  499,  but  I think that seed should be
> automatically  changed  in that case for next 500 iterations otherwise
> that is not one-time-passwords
> 
> 
> 
> So...  I think that is not good ... or am I mistaken?
> 
> 

-- 

"Well," Brahma said, "even after ten thousand explanations, a
fool is no
  wiser, but an intelligent man requires only two thousand five hundred."
                 - The Mahabharata