Enable OPIE by default, using the no_fake_prompts option to hide it from

users who don't wish to use it. If the admin is worried about leaking information about which users exist and which have OPIE enabled, the no_fake_prompts option can simply be removed. Also insert the appropriate pam_opieaccess lines after pam_opie to break the chain in case the user is logging in from an untrusted host, or has a .opiealways file. The entire opieaccess / opiealways concept is slightly unpammish, but admins familiar with OPIE will expect it to work. Reviewed by: ache, markm Sponsored by: DARPA, NAI Labs
svn path=/head/; revision=89619
2002-01-21 18:51:24 +00:00 · 2002-01-21 18:51:24 +00:00 · ae739ec469 · 2020-12-20 02:59:44 +00:00
commit ae739ec469
parent 03adba96a0
9 changed files with 40 additions and 23 deletions
--- a/etc/pam.d/csshd
+++ b/etc/pam.d/csshd
@ -5,4 +5,5 @@
 #

 # auth
-auth		required	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn
--- a/etc/pam.d/ftp
+++ b/etc/pam.d/ftp
@ -8,7 +8,8 @@
 auth		required	pam_nologin.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn
-#auth		required	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn
 #auth		required	pam_ssh.so	no_warn try_first_pass
 auth		required	pam_unix.so	no_warn try_first_pass

--- a/etc/pam.d/ftpd
+++ b/etc/pam.d/ftpd
@ -9,10 +9,9 @@ auth		required	pam_nologin.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn
 #auth           sufficient      pam_ssh.so      no_warn try_first_pass
-# Uncomment either pam_opie or pam_unix, but not both of them.
-# pam_unix can't be simple chained with pam_opie, ftpd provides proper fallback
-auth		required	pam_opie.so	no_warn
-#auth		required	pam_unix.so	no_warn try_first_pass
+auth		sufficient	pam_opie.so	no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn
+auth		required	pam_unix.so	no_warn try_first_pass

 # account
 #account	required	pam_kerberosIV.so
--- a/etc/pam.d/imap
+++ b/etc/pam.d/imap
@ -6,6 +6,7 @@

 # auth
 #auth		required	pam_nologin.so	no_warn
-#auth		required	pam_opie.so	no_warn
+#auth		sufficient	pam_opie.so	no_warn no_fake_prompts
+#auth		requisite	pam_opieaccess.so	no_warn
 #auth		required	pam_ssh.so	no_warn try_first_pass
 #auth		required	pam_unix.so	no_warn try_first_pass
--- a/etc/pam.d/kde
+++ b/etc/pam.d/kde
@ -6,7 +6,8 @@

 # auth
 auth		required	pam_nologin.so	no_warn
-#auth		sufficient	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass
 #auth		required	pam_ssh.so	no_warn try_first_pass
--- a/etc/pam.d/login
+++ b/etc/pam.d/login
@ -6,7 +6,8 @@

 # auth
 auth		required	pam_nologin.so	no_warn
-#auth		sufficient	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn
 #auth		sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass
 #auth		required	pam_ssh.so	no_warn try_first_pass
@ -24,7 +25,6 @@ account		required	pam_unix.so
 session		required	pam_unix.so

 # password
-#password	sufficient	pam_opie.so	no_warn
 #password	sufficient	pam_kerberosIV.so	no_warn try_first_pass
 #password	sufficient	pam_krb5.so	no_warn try_first_pass
 password	required	pam_unix.so	no_warn try_first_pass
--- a/etc/pam.d/other
+++ b/etc/pam.d/other
@ -6,7 +6,8 @@

 # auth
 auth		required	pam_nologin.so	no_warn
-#auth		required	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn
 auth		required	pam_unix.so	no_warn try_first_pass

 # account
--- a/etc/pam.d/pop3
+++ b/etc/pam.d/pop3
@ -6,6 +6,7 @@

 # auth
 #auth		required	pam_nologin.so	no_warn
-#auth		required	pam_opie.so	no_warn
+#auth		sufficient	pam_opie.so	no_warn no_fake_prompts
+#auth		requisite	pam_opieaccess.so	no_warn
 #auth		required	pam_ssh.so	no_warn try_first_pass
 #auth		required	pam_unix.so	no_warn try_first_pass
--- a/etc/pam.d/su
+++ b/etc/pam.d/su
@ -9,33 +9,45 @@ auth		sufficient	pam_rootok.so	no_warn
 auth		requisite	pam_wheel.so	no_warn auth_as_self noroot_ok
 #auth		sufficient	pam_kerberosIV.so	no_warn
 #auth		sufficient	pam_krb5.so	no_warn try_first_pass auth_as_self
-#auth		required	pam_opie.so	no_warn
+auth		sufficient	pam_opie.so	no_warn no_fake_prompts
+auth		requisite	pam_opieaccess.so	no_warn
 #auth		required	pam_ssh.so	no_warn try_first_pass
 auth		required	pam_unix.so	no_warn try_first_pass nullok
-#auth		sufficient	pam_rootok.so	no_warn
-##auth		sufficient	pam_kerberosIV.so	no_warn
-##auth		sufficient	pam_krb5.so	no_warn
-#auth		required	pam_opie.so	no_warn auth_as_self
-#auth		required	pam_unix.so	no_warn try_first_pass auth_as_self

 # account
 #account	required	pam_kerberosIV.so
 #account	required	pam_krb5.so
 account		required	pam_unix.so
-##account	required	pam_kerberosIV.so
-##account	required	pam_krb5.so
-#account	required	pam_unix.so

 # session
 #session	required	pam_kerberosIV.so
 #session	required	pam_krb5.so
 #session	required	pam_ssh.so
 session		required	pam_unix.so
+
+# password
+password	required	pam_permit.so
+
+
+# If you want a "WHEELSU"-type su(1), then comment out the
+# above, and uncomment the entries below.
+## auth
+#auth		sufficient	pam_rootok.so	no_warn
+##auth		sufficient	pam_kerberosIV.so	no_warn
+##auth		sufficient	pam_krb5.so	no_warn
+#auth		required	pam_opie.so	no_warn auth_as_self no_fake_prompts
+#auth		required	pam_unix.so	no_warn try_first_pass auth_as_self
+
+## account
+##account	required	pam_kerberosIV.so
+##account	required	pam_krb5.so
+#account	required	pam_unix.so
+
+## session
 ##session	required	pam_kerberosIV.so
 ##session	required	pam_krb5.so
 ##session	required	pam_ssh.so
 #session	required	pam_unix.so

-# password
-password	required	pam_permit.so
+## password
 #password	required	pam_permit.so