Re: [Otpasswd-talk] Using OTP to kind of fix MITM.

[Tomasz bla Fortuna]

Dnia Tue, 22 Dec 2009 17:49:20 -0600
Hannes Beinert <address@hidden> napisał(a):

> On Tue, Dec 22, 2009 at 17:17, Luke Faraone <address@hidden> wrote:
> > On Tue, Dec 22, 2009 at 17:59, Hannes Beinert <address@hidden>
> > wrote:
> >>
> >> I certainly think it would be nice to have as an option.  However,
> >> honestly, I can't think of many advantages.  If PPP could be
> >> installed by the user without any sysadmin intervention or
> >> cooperation, such as in a situation where one is just an
> >> individual user on a large system with sysadmins "who can't be
> >> bothered", then this would be a really useful option.  However, to
> >> use PPP for login the system PAM stacks need to be modified.
> >
> > Use case: "I'm a sysadmin at a small company. I have an natural
> > adversion to anything centralized, and I don't want to have social
> > responsibility if anything goes wrong. I don't need any more
> > complexity in my system than absolutely necessary."
> >
> > Maybe it's a slim one, so feel free to ignore it.
> 
> Not at all, it's certainly not a point of view which should be
> dismissed.  The problem is that this same libertarian (:-) sysadmin
> would still need to muddle around with his PAM configuration, which
> would carry with it the burden of responsibility in the event that
> something should go wrong.
> 
> However, you do make me wonder whether the PAM module could be
> designed to have a "permissive" or "optional" mode.  Namely, if the
> user has no userland PPP configuration, the module would just return a
> successful authentication.  If there *is* a userland configuration,
> then it would work normally.  In this case, the sysadmin would be
> making the policy decision that PPP is optional, and if a user chooses
> to increase his/her account's security at the cost of convenience,
> then so be it.
> 
> The other advantage of this system would be that it's even conceivable
> that a distro could ship with this module installed in the default PAM
> stacks.  There would be no change in the default system behavior
> unless a user takes some proactive steps.
> 
> I kinda like this option.

Done already. (-; You just add otpasswd into PAM as 'required' module
(pam_unix being before with 'requisite' setting) and in config there's
ENFORCE option which is by default set to 0, so module will return
PAM_IGNORE if user is not in key database (global, local or whatever)


Still having a user-db makes the program not suid/sgid which might be
thought as a safer. (it's never set-uid root!) I personally think that
it can be SUID/SGID by default because there's kind of little code
which will get run with higher privilage when 'user-db' is selected and
this would make the installation more 'standard':


int main(int argc, char **argv)
{
        int ret;
        cfg_t *cfg = NULL;
        int uid = getuid(), gid = getgid();

        /* As we might be SUID/SGID binary. Clear environment. */
        ret = clearenv();
        if (ret != 0) {
                printf("Unable to clear environment\n");
                exit(EXIT_FAILURE);
        }

        ret = chdir("/");
        if (ret != 0) {
                printf("Unable to change directory to /\n");
                exit(EXIT_FAILURE);
        }

        if (environ != NULL || (environ && *environ != NULL)) {
                printf("Environment not clear!\n");
                exit(EXIT_FAILURE);
        }

        putenv("PATH=/bin:/usr/bin");


        /* Bootstrap logging subsystem. */
        if (print_init(PRINT_ERROR, 1, 0, NULL) != 0) {
                printf("ERROR: Unable to start log subsystem\n");
                exit(EXIT_FAILURE);
        }

        /* Get global config */
        cfg = cfg_get();
 // This has to be secure, but as it doesn't read
//      user input it's not so bad.

        print_fini();

        if (!cfg) {
                printf("Unable to read global config file\n");
                exit(EXIT_FAILURE);
        }
        
        /* If database is not global we can drop permissions now */
        if (cfg->db != CONFIG_DB_GLOBAL) {
// After this lines MySQL/LDAP/Local approach doesn't have anymore
// bigger privilages. 
                ret = setgid(uid);
                ret += setuid(gid);
                if (ret != 0) {
                        printf("Strange error while dropping
        permissions\n");
                        exit(EXIT_FAILURE);
                }
        }

// Here we pass user input which can be dangerous.
        ret = process_cmd_line(argc, argv);
        return ret;
}




-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be

signature.asc
Description: PGP signature