[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Otpasswd-talk] Using OTP to kind of fix MITM.
From: |
Tomasz bla Fortuna |
Subject: |
Re: [Otpasswd-talk] Using OTP to kind of fix MITM. |
Date: |
Wed, 23 Dec 2009 00:57:45 +0100 |
Dnia Tue, 22 Dec 2009 17:49:20 -0600
Hannes Beinert <address@hidden> napisaĆ(a):
> On Tue, Dec 22, 2009 at 17:17, Luke Faraone <address@hidden> wrote:
> > On Tue, Dec 22, 2009 at 17:59, Hannes Beinert <address@hidden>
> > wrote:
> >>
> >> I certainly think it would be nice to have as an option. However,
> >> honestly, I can't think of many advantages. If PPP could be
> >> installed by the user without any sysadmin intervention or
> >> cooperation, such as in a situation where one is just an
> >> individual user on a large system with sysadmins "who can't be
> >> bothered", then this would be a really useful option. However, to
> >> use PPP for login the system PAM stacks need to be modified.
> >
> > Use case: "I'm a sysadmin at a small company. I have an natural
> > adversion to anything centralized, and I don't want to have social
> > responsibility if anything goes wrong. I don't need any more
> > complexity in my system than absolutely necessary."
> >
> > Maybe it's a slim one, so feel free to ignore it.
>
> Not at all, it's certainly not a point of view which should be
> dismissed. The problem is that this same libertarian (:-) sysadmin
> would still need to muddle around with his PAM configuration, which
> would carry with it the burden of responsibility in the event that
> something should go wrong.
>
> However, you do make me wonder whether the PAM module could be
> designed to have a "permissive" or "optional" mode. Namely, if the
> user has no userland PPP configuration, the module would just return a
> successful authentication. If there *is* a userland configuration,
> then it would work normally. In this case, the sysadmin would be
> making the policy decision that PPP is optional, and if a user chooses
> to increase his/her account's security at the cost of convenience,
> then so be it.
>
> The other advantage of this system would be that it's even conceivable
> that a distro could ship with this module installed in the default PAM
> stacks. There would be no change in the default system behavior
> unless a user takes some proactive steps.
>
> I kinda like this option.
Done already. (-; You just add otpasswd into PAM as 'required' module
(pam_unix being before with 'requisite' setting) and in config there's
ENFORCE option which is by default set to 0, so module will return
PAM_IGNORE if user is not in key database (global, local or whatever)
Still having a user-db makes the program not suid/sgid which might be
thought as a safer. (it's never set-uid root!) I personally think that
it can be SUID/SGID by default because there's kind of little code
which will get run with higher privilage when 'user-db' is selected and
this would make the installation more 'standard':
int main(int argc, char **argv)
{
int ret;
cfg_t *cfg = NULL;
int uid = getuid(), gid = getgid();
/* As we might be SUID/SGID binary. Clear environment. */
ret = clearenv();
if (ret != 0) {
printf("Unable to clear environment\n");
exit(EXIT_FAILURE);
}
ret = chdir("/");
if (ret != 0) {
printf("Unable to change directory to /\n");
exit(EXIT_FAILURE);
}
if (environ != NULL || (environ && *environ != NULL)) {
printf("Environment not clear!\n");
exit(EXIT_FAILURE);
}
putenv("PATH=/bin:/usr/bin");
/* Bootstrap logging subsystem. */
if (print_init(PRINT_ERROR, 1, 0, NULL) != 0) {
printf("ERROR: Unable to start log subsystem\n");
exit(EXIT_FAILURE);
}
/* Get global config */
cfg = cfg_get();
// This has to be secure, but as it doesn't read
// user input it's not so bad.
print_fini();
if (!cfg) {
printf("Unable to read global config file\n");
exit(EXIT_FAILURE);
}
/* If database is not global we can drop permissions now */
if (cfg->db != CONFIG_DB_GLOBAL) {
// After this lines MySQL/LDAP/Local approach doesn't have anymore
// bigger privilages.
ret = setgid(uid);
ret += setuid(gid);
if (ret != 0) {
printf("Strange error while dropping
permissions\n");
exit(EXIT_FAILURE);
}
}
// Here we pass user input which can be dangerous.
ret = process_cmd_line(argc, argv);
return ret;
}
--
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be
signature.asc
Description: PGP signature
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., (continued)
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM.,
Tomasz bla Fortuna <=
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22