Further changes to allow enabling pam_opie(8) by default:

 - Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before
   challenging the user.  These options are meaningless for pam_opie(8)
   since the user can't possibly know the right response before she sees
   the challenge.

 - Introduce the no_fake_prompts option.  If this option is set, pam_opie(8)
   will fail - rather than present a bogus challenge - if the target user
   does not have an OPIE key.  With this option, users who haven't set up
   OPIE won't have to wonder what that "weird otp-md5 s**t" means :)

Reviewed by:	ache, markm
Sponsored by:	DARPA, NAI Labs

2 files changed, 38 insertions, 12 deletions

diff --git a/lib/libpam/modules/pam_opie/pam_opie.8 b/lib/libpam/modules/pam_opie/pam_opie.8
index e367803..1d8ad9c 100644
--- a/lib/libpam/modules/pam_opie/pam_opie.8
+++ b/lib/libpam/modules/pam_opie/pam_opie.8
@@ -8,7 +8,6 @@
 .\" Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
 .\" ("CBOSS"), as part of the DARPA CHATS research program.
 .\"
-.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
@@ -94,7 +93,21 @@ This is primarily for services like
 where the user's ability to retype
 their own password
 might be deemed sufficient.
+.It Cm no_fake_prompts
+Do not generate fake challenges for users who do not have an OPIE key.
+Note that this can leak information to a hypothetical attacker about
+who uses OPIE and who doesn't, but it can be useful on systems where
+some users want to use OPIE but most don't.
 .El
+.Pp
+Note that
+.Nm
+ignores the standard options
+.Cm try_first_pass
+and
+.Cm use_first_pass ,
+since a challenge must be generated before the user can submit a valid
+response.
 .Sh FILES
 .Bl -tag -width ".Pa /etc/opiekeys" -compact
 .It Pa /etc/opiekeys
diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c
index 5a2bd30..93629d3 100644
--- a/lib/libpam/modules/pam_opie/pam_opie.c
+++ b/lib/libpam/modules/pam_opie/pam_opie.c
@@ -4,6 +4,8 @@
  * Based upon code Copyright 1998 Juniper Networks, Inc. 
  * Copyright (c) 2001 Networks Associates Technologies, Inc.
  * All rights reserved.
+ * Copyright (c) 2002 Networks Associates Technologies, Inc.
+ * All rights reserved.
  *
  * Portions of this software were developed for the FreeBSD Project by
  * ThinkSec AS and NAI Labs, the Security Research Division of Network
@@ -53,10 +55,14 @@ __FBSDID("$FreeBSD$");
 #include <security/pam_modules.h>
 #include "pam_mod_misc.h"
 
-enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX };
+enum {
+	PAM_OPT_AUTH_AS_SELF	= PAM_OPT_STD_MAX,
+	PAM_OPT_NO_FAKE_PROMPTS
+};
 
 static struct opttab other_options[] = {
 	{ "auth_as_self",	PAM_OPT_AUTH_AS_SELF },
+	{ "no_fake_prompts",	PAM_OPT_NO_FAKE_PROMPTS },
 	{ NULL, 0 }
 };
 
@@ -78,15 +84,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 
 	PAM_LOG("Options processed");
 
-	/*
-	 * It doesn't make sense to use a password that has already been
-	 * typed in, since we haven't presented the challenge to the user
-	 * yet.
-	 */
-	if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) ||
-	    pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL))
-		PAM_RETURN(PAM_AUTH_ERR);
-
 	user = NULL;
 	if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
 		if ((pwd = getpwnam(getlogin())) == NULL)
@@ -107,7 +104,23 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 	 */
 	opiedisableaeh();
 
-	opiechallenge(&opie, (char *)user, challenge);
+	/*
+	 * If the no_fake_prompts option was given, and the user
+	 * doesn't have an OPIE key, just fail rather than present the
+	 * user with a bogus OPIE challenge.
+	 */
+	/* XXX generates a const warning because of incorrect prototype */
+	if (opiechallenge(&opie, (char *)user, challenge) != 0 &&
+	    pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL)) 
+		PAM_RETURN(PAM_AUTH_ERR);
+	
+	/*
+	 * It doesn't make sense to use a password that has already been
+	 * typed in, since we haven't presented the challenge to the user
+	 * yet, so clear the stored password.
+	 */
+	pam_set_item(pamh, PAM_AUTHTOK, NULL);
+	
 	for (i = 0; i < 2; i++) {
 		snprintf(prompt, sizeof prompt, promptstr[i], challenge);
 		retval = pam_get_pass(pamh, &response, prompt, &options);