From bc31e1293b0cab9e0ffb32d77be376d89f692b65 Mon Sep 17 00:00:00 2001 From: des Date: Mon, 21 Jan 2002 18:46:25 +0000 Subject: Further changes to allow enabling pam_opie(8) by default: - Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before challenging the user. These options are meaningless for pam_opie(8) since the user can't possibly know the right response before she sees the challenge. - Introduce the no_fake_prompts option. If this option is set, pam_opie(8) will fail - rather than present a bogus challenge - if the target user does not have an OPIE key. With this option, users who haven't set up OPIE won't have to wonder what that "weird otp-md5 s**t" means :) Reviewed by: ache, markm Sponsored by: DARPA, NAI Labs --- lib/libpam/modules/pam_opie/pam_opie.8 | 15 ++++++++++++++- lib/libpam/modules/pam_opie/pam_opie.c | 35 +++++++++++++++++++++++----------- 2 files changed, 38 insertions(+), 12 deletions(-) diff --git a/lib/libpam/modules/pam_opie/pam_opie.8 b/lib/libpam/modules/pam_opie/pam_opie.8 index e367803..1d8ad9c 100644 --- a/lib/libpam/modules/pam_opie/pam_opie.8 +++ b/lib/libpam/modules/pam_opie/pam_opie.8 @@ -8,7 +8,6 @@ .\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 .\" ("CBOSS"), as part of the DARPA CHATS research program. .\" -.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -94,7 +93,21 @@ This is primarily for services like where the user's ability to retype their own password might be deemed sufficient. +.It Cm no_fake_prompts +Do not generate fake challenges for users who do not have an OPIE key. +Note that this can leak information to a hypothetical attacker about +who uses OPIE and who doesn't, but it can be useful on systems where +some users want to use OPIE but most don't. .El +.Pp +Note that +.Nm +ignores the standard options +.Cm try_first_pass +and +.Cm use_first_pass , +since a challenge must be generated before the user can submit a valid +response. .Sh FILES .Bl -tag -width ".Pa /etc/opiekeys" -compact .It Pa /etc/opiekeys diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c index 5a2bd30..93629d3 100644 --- a/lib/libpam/modules/pam_opie/pam_opie.c +++ b/lib/libpam/modules/pam_opie/pam_opie.c @@ -4,6 +4,8 @@ * Based upon code Copyright 1998 Juniper Networks, Inc. * Copyright (c) 2001 Networks Associates Technologies, Inc. * All rights reserved. + * Copyright (c) 2002 Networks Associates Technologies, Inc. + * All rights reserved. * * Portions of this software were developed for the FreeBSD Project by * ThinkSec AS and NAI Labs, the Security Research Division of Network @@ -53,10 +55,14 @@ __FBSDID("$FreeBSD$"); #include #include "pam_mod_misc.h" -enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX }; +enum { + PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, + PAM_OPT_NO_FAKE_PROMPTS +}; static struct opttab other_options[] = { { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, + { "no_fake_prompts", PAM_OPT_NO_FAKE_PROMPTS }, { NULL, 0 } }; @@ -78,15 +84,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) PAM_LOG("Options processed"); - /* - * It doesn't make sense to use a password that has already been - * typed in, since we haven't presented the challenge to the user - * yet. - */ - if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) || - pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL)) - PAM_RETURN(PAM_AUTH_ERR); - user = NULL; if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { if ((pwd = getpwnam(getlogin())) == NULL) @@ -107,7 +104,23 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) */ opiedisableaeh(); - opiechallenge(&opie, (char *)user, challenge); + /* + * If the no_fake_prompts option was given, and the user + * doesn't have an OPIE key, just fail rather than present the + * user with a bogus OPIE challenge. + */ + /* XXX generates a const warning because of incorrect prototype */ + if (opiechallenge(&opie, (char *)user, challenge) != 0 && + pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL)) + PAM_RETURN(PAM_AUTH_ERR); + + /* + * It doesn't make sense to use a password that has already been + * typed in, since we haven't presented the challenge to the user + * yet, so clear the stored password. + */ + pam_set_item(pamh, PAM_AUTHTOK, NULL); + for (i = 0; i < 2; i++) { snprintf(prompt, sizeof prompt, promptstr[i], challenge); retval = pam_get_pass(pamh, &response, prompt, &options); -- cgit v1.1