pam_opieaccess.so and opiepasswd -d
Eugene M. Kim
ab at astralblue.net
Thu Oct 2 12:26:10 PDT 2003
Greetings,
pam_opieaccess.so is documented to allow cleartext password (by
returning PAM_SUCCESS) when OPIE is disabled for the user.
However, on both -current and 4-stable, pam_opieaccess.so checks whether
OPIE is enabled only by checking the existence of the user's record from
/etc/opiekeys. Since a valid /etc/opiekeys record can also indicate
that the OPIE access is disabled (i.e. one runs opiepasswd -d to set the
value field to `****************'), I guess the module should check this
as well.
Currently this check is not performed, so when one has pam_opie.so plus
pam_opieaccess.so combination, users with explicitly disabled OPIE
record and a cleartext password won't be able to log in even when
/etc/opieaccess allows cleartext password logins.
Is the current behavior an intended feature, or should it be fixed (the
patch would be trivial)?
Eugene
More information about the freebsd-hackers
mailing list