On Wed, Jul 10, 2002 at 19:55:19 +0200, Dag-Erling Smorgrav wrote:
> Neither fix is correct. The correct solution is to remove the kludge
> in auth-passwd.c that tries to use PAM for password authentication.
I agree completely. My fix was quick & dirty workaround only and not
planned as a full
"Andrey A. Chernov" wrote:
> On Wed, Jul 10, 2002 at 14:17:51 +0200, Dag-Erling Smorgrav wrote:
> > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> > > Why what? Sysadmin allows PasswordAuthentication only.
> >
> > Why?
>
> Because he choose to not trust hosts keys which can be stolen especiall
Neither fix is correct. The correct solution is to remove the kludge
in auth-passwd.c that tries to use PAM for password authentication.
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
On Wed, Jul 10, 2002 at 09:37:24 -0700, Gregory Neil Shapiro wrote:
> The problem seems to be the addition of opieaccess to the PAM
> configuration.
Not to PAM, but more strictly, to PAMified sshd. Addition of it to other
PAMified programs works as expected.
> With that addition, in -CURRENT,
If I may suggest a fix that will probably make everyone happy...
The problem seems to be the addition of opieaccess to the PAM
configuration. With that addition, in -CURRENT, unless a user creates
/etc/opieaccess and adds explicit "permit" lines, plain text passwords will
not be accepted if OPIE
On Wed, Jul 10, 2002 at 15:37:11 +0200, Dag-Erling Smorgrav wrote:
> making any sense at all. If your config file really disables all
> authentication methods except PasswordAuthentication, then OPIE
> *never* worked for you, because it *cannot* be implemented over the
> SSH PaswordAuthentication
On Wed, Jul 10, 2002 at 15:37:11 +0200, Dag-Erling Smorgrav wrote:
> Andrey, I'd really suggest you back off and chill down. You're not
> making any sense at all. If your config file really disables all
> authentication methods except PasswordAuthentication, then OPIE
> *never* worked for you,
On Wed, Jul 10, 2002 at 15:37:11 +0200, Dag-Erling Smorgrav wrote:
> Andrey, I'd really suggest you back off and chill down. You're not
> making any sense at all. If your config file really disables all
> authentication methods except PasswordAuthentication, then OPIE
> *never* worked for you,
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> On Wed, Jul 10, 2002 at 15:02:43 +0200, Dag-Erling Smorgrav wrote:
> > But why disable keyboard-interactive authentication?
> There is nowhere documented that keyboard-interactive auth is required for
> PasswordAuthentication. It works without it
On Wed, Jul 10, 2002 at 15:02:43 +0200, Dag-Erling Smorgrav wrote:
>
> But why disable keyboard-interactive authentication?
There is nowhere documented that keyboard-interactive auth is required for
PasswordAuthentication. It works without it for ages. Sysadmins tends to
remove all unneded auth
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> On Wed, Jul 10, 2002 at 14:17:51 +0200, Dag-Erling Smorgrav wrote:
> > "Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> > > Why what? Sysadmin allows PasswordAuthentication only.
> > Why?
> Because he choose to not trust hosts keys which can be st
On Wed, Jul 10, 2002 at 14:17:51 +0200, Dag-Erling Smorgrav wrote:
> "Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> > Why what? Sysadmin allows PasswordAuthentication only.
>
> Why?
Because he choose to not trust hosts keys which can be stolen especially
when not password-protected. Because i
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> Why what? Sysadmin allows PasswordAuthentication only.
Why?
DES
--
Dag-Erling Smorgrav - [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
On Wed, Jul 10, 2002 at 12:12:56 +0200, Dag-Erling Smorgrav wrote:
> "Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> > Consider following setup: OPIE is active and allow Unix plaintext
> > passwords for local users only (i.e. common way of using OPIE). Then lets
> > disable all sshd auth methods
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> Consider following setup: OPIE is active and allow Unix plaintext
> passwords for local users only (i.e. common way of using OPIE). Then lets
> disable all sshd auth methods excepting "PasswordAuthentication yes" in
> sshd_config.
Why?
> 2nd bug
On Wed, Jul 10, 2002 at 03:26:02 +0400, Andrey A. Chernov wrote:
>
> 1) It is client-related, so even if you'll fix sshd to print OTP prompt,
This is the question: who print password prompt? By very quick and
incomplete look I see that it is client himself, not server, so it seems
there is no wa
Thus spake Gregory Neil Shapiro <[EMAIL PROTECTED]>:
> Interestingly enough, pam_opieaccess doesn't help at all in this
> situation. The remote user is still prompted for their plain text
> password, it just isn't accepted. However, the damage is already done -- a
> compromised ssh client would
On Tue, Jul 09, 2002 at 23:42:32 +0200, Dag-Erling Smorgrav wrote:
> Seriously, can you please turn down the hysteria a couple of notches
> and give me a proper bug report?
On Tue, Jul 09, 2002 at 23:42:32 +0200, Dag-Erling Smorgrav wrote:
> Seriously, can you please turn down the hysteria a cou
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> BTW, OPIE auth broken too that way. In any ssh client I use I see _no_
> OPIE prompt like: [...]
You're jinxed. You probably offended an evil spirit in a previous
life and it has come back to haunt you.
Seriously, can you please turn down the hy
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> I understand that. What I say - it must be not in default setup because
> break normal password auth for ssh.
Only for users who have set up an OPIE password, but explicitly choose
not to use OPIE.
> I.e. I no
> "ache" == Andrey A Chernov <[EMAIL PROTECTED]> writes:
ache> On Tue, Jul 09, 2002 at 09:46:40 -0700, Gregory Neil Shapiro wrote:
>>
>> one of the authentication techniques early on). Also, pam_opieaccess is
>> broken at the moment anyway as /usr/src/contrib/opie/libopie/accessfile.c
>> is
On Tue, Jul 09, 2002 at 09:46:40 -0700, Gregory Neil Shapiro wrote:
>
> one of the authentication techniques early on). Also, pam_opieaccess is
> broken at the moment anyway as /usr/src/contrib/opie/libopie/accessfile.c
> is not compiled with PATH_ACCESS_FILE defined. The maintainer of OPIE
> s
>> Normally OPIE not accepts plain Unix password remotely, and it is right,
>> because of cleartext. But it is wrong for sshd, because no cleartext
>> sended for PasswordAuth. It seems that opieaccess in pam.d/sshd should not
>> fails by default or maybe even not present there.
des> What if the c
On Tue, Jul 09, 2002 at 15:59:04 +0200, Dag-Erling Smorgrav wrote:
> What if the client is untrusted? Do you find it reasonable to allow
> users to type their password on an untrusted client? Many of our
> users use OPIE for precisely this scenario - reading their mail on an
> untrusted machine
On Tue, Jul 09, 2002 at 15:59:04 +0200, Dag-Erling Smorgrav wrote:
> What if the client is untrusted? Do you find it reasonable to allow
> users to type their password on an untrusted client? Many of our
> users use OPIE for precisely this scenario - reading their mail on an
> untrusted machine
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> Normally OPIE not accepts plain Unix password remotely, and it is right,
> because of cleartext. But it is wrong for sshd, because no cleartext
> sended for PasswordAuth. It seems that opieaccess in pam.d/sshd should not
> fails by default or maybe
On Tue, Jul 09, 2002 at 15:16:01 +0200, Dag-Erling Smorgrav wrote:
> "Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> > It not helps. Moreover, I found that I am able to do 'ssh localhost' but
> > unable to do ssh from any other machine, with exact the same password.
>
> Try commenting out the
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> It not helps. Moreover, I found that I am able to do 'ssh localhost' but
> unable to do ssh from any other machine, with exact the same password.
Try commenting out the pam_opieaccess line in /etc/pam.d/sshd.
DES
--
Dag-Erling Smorgrav - [EMAI
On Tue, Jul 09, 2002 at 16:49:44 +0400, Andrey A. Chernov wrote:
> It not helps. Moreover, I found that I am able to do 'ssh localhost' but
> unable to do ssh from any other machine, with exact the same password.
> DEBUG3 output clearly indicates that this error is related to PAM somehow:
> de
On Tue, Jul 02, 2002 at 14:01:35 +0200, Dag-Erling Smorgrav wrote:
> "Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> > I just upgrade to recent -current sshd and found that
> > PasswordAuthentication not works anymore (always fails, with right
> > password too). I not yet dig deeper at this mo
"Andrey A. Chernov" <[EMAIL PROTECTED]> writes:
> I just upgrade to recent -current sshd and found that
> PasswordAuthentication not works anymore (always fails, with right
> password too). I not yet dig deeper at this moment, just FYI.
Try this:
===
31 matches
Mail list logo
