03adba96a0
- Ignore the {try,use}_first_pass options by clearing PAM_AUTHTOK before challenging the user. These options are meaningless for pam_opie(8) since the user can't possibly know the right response before she sees the challenge. - Introduce the no_fake_prompts option. If this option is set, pam_opie(8) will fail - rather than present a bogus challenge - if the target user does not have an OPIE key. With this option, users who haven't set up OPIE won't have to wonder what that "weird otp-md5 s**t" means :) Reviewed by: ache, markm Sponsored by: DARPA, NAI Labs
124 lines
3.9 KiB
Groff
124 lines
3.9 KiB
Groff
.\" Copyright (c) 2001 Mark R V Murray
|
|
.\" All rights reserved.
|
|
.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Portions of this software were developed for the FreeBSD Project by
|
|
.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
|
|
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
|
.\" ("CBOSS"), as part of the DARPA CHATS research program.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. The name of the author may not be used to endorse or promote
|
|
.\" products derived from this software without specific prior written
|
|
.\" permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd July 7, 2001
|
|
.Dt PAM_OPIE 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm pam_opie
|
|
.Nd OPIE PAM module
|
|
.Sh SYNOPSIS
|
|
.Op Ar service-name
|
|
.Ar module-type
|
|
.Ar control-flag
|
|
.Pa pam_opie
|
|
.Op Ar options
|
|
.Sh DESCRIPTION
|
|
The OPIE authentication service module for PAM,
|
|
.Nm
|
|
provides functionality for only one PAM category:
|
|
that of authentication.
|
|
In terms of the
|
|
.Ar module-type
|
|
parameter, this is the
|
|
.Dq Li auth
|
|
feature.
|
|
It also provides a null function for session management.
|
|
.Pp
|
|
Note that this module does not enforce
|
|
.Xr opieaccess 5
|
|
checks.
|
|
There is a separate module,
|
|
.Xr pam_opieaccess 8 ,
|
|
for this purpose.
|
|
.Ss OPIE Authentication Module
|
|
The OPIE authentication component
|
|
provides functions to verify the identity of a user
|
|
.Pq Fn pam_sm_authenticate ,
|
|
which obtains the relevant
|
|
.Xr opie 4
|
|
credentials.
|
|
It provides the user with an OPIE challenge,
|
|
and verifies that this is correct with
|
|
.Xr opiechallenge 3 .
|
|
.Pp
|
|
The following options may be passed to the authentication module:
|
|
.Bl -tag -width ".Cm auth_as_self"
|
|
.It Cm debug
|
|
.Xr syslog 3
|
|
debugging information at
|
|
.Dv LOG_DEBUG
|
|
level.
|
|
.It Cm auth_as_self
|
|
This option will require the user
|
|
to authenticate themself as the user
|
|
given by
|
|
.Xr getlogin 2 ,
|
|
not as the account they are attempting to access.
|
|
This is primarily for services like
|
|
.Xr su 1 ,
|
|
where the user's ability to retype
|
|
their own password
|
|
might be deemed sufficient.
|
|
.It Cm no_fake_prompts
|
|
Do not generate fake challenges for users who do not have an OPIE key.
|
|
Note that this can leak information to a hypothetical attacker about
|
|
who uses OPIE and who doesn't, but it can be useful on systems where
|
|
some users want to use OPIE but most don't.
|
|
.El
|
|
.Pp
|
|
Note that
|
|
.Nm
|
|
ignores the standard options
|
|
.Cm try_first_pass
|
|
and
|
|
.Cm use_first_pass ,
|
|
since a challenge must be generated before the user can submit a valid
|
|
response.
|
|
.Sh FILES
|
|
.Bl -tag -width ".Pa /etc/opiekeys" -compact
|
|
.It Pa /etc/opiekeys
|
|
default OPIE password database.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr passwd 1 ,
|
|
.Xr getlogin 2 ,
|
|
.Xr opiechallenge 3 ,
|
|
.Xr syslog 3 ,
|
|
.Xr opie 4 ,
|
|
.Xr pam.conf 5 ,
|
|
.Xr pam 8
|