From mkiernan@avantgo.com  Mon Aug 28 16:12:47 2000
Return-Path: <mkiernan@avantgo.com>
Received: from hermes.avantgo.com (shadow.avantgo.com [63.251.249.148])
	by hub.freebsd.org (Postfix) with ESMTP id CCB8C37B42C
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 28 Aug 2000 16:12:46 -0700 (PDT)
Received: from nayarit.avantgo.com (nayarit.avantgo.com [10.1.30.1])
	by hermes.avantgo.com (Postfix) with ESMTP id B2F23B
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 28 Aug 2000 16:12:39 -0700 (PDT)
Received: by nayarit.avantgo.com (Postfix, from userid 1008)
	id D14B1F816; Mon, 28 Aug 2000 16:12:45 -0700 (PDT)
Message-Id: <20000828231245.D14B1F816@nayarit.avantgo.com>
Date: Mon, 28 Aug 2000 16:12:45 -0700 (PDT)
From: mkiernan@avantgo.com
Reply-To: mkiernan@avantgo.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: incorrect handling of echo_pass option
X-Send-Pr-Version: 3.2

>Number:         20909
>Category:       bin
>Synopsis:       The test for the echo_pass option is backwards.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kris
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 28 16:20:01 PDT 2000
>Closed-Date:    Sat Sep 16 22:48:43 PDT 2000
>Last-Modified:  Sat Sep 16 22:49:10 PDT 2000
>Originator:     Michael Kiernan
>Release:        FreeBSD 4.1-STABLE i386
>Organization:
>Environment:

	

	I am running 4.1-STABLE but cvsup'ed the pam_opie.c module from
	the head of the development branch.

>Description:

	

	The echo_pass PAM option, if present, is supposed to enable
	the echoing of passwords when the user types them in.  The
	test for this option in the pam_opie module is backwards.  That
	is it echos passwords when the option is not present in the PAM
	configuration file and fails to echo passwords when the option
	is present.

>How-To-Repeat:

	

	1.  Make sure your account is setup to use Opie (i.e. you've used
	    opiegen);
	2.  enable the pam_opie module in your PAM configuration file for the
	    login service;
	3.  add/subtract the "echo_pass" option from the pam_module's
		configuration line in the PAM configuration file;
	3.  type your login name at the "login:" prompt;
	4.  type <return> at the "Password:" prompt;
	5.  you will get a "Password [echo on]:" prompt if the echo_pass
	    option is not on, but you won't get it if the echo_pass option
	    is turned on;
	6.  go back to step 3 and try it the other way around.

>Fix:

	

Index: pam_opie.c
===================================================================
RCS file: /sbox/freebsd/cvs/root/src/lib/libpam/modules/pam_opie/pam_opie.c,v
retrieving revision 1.1
diff -u -r1.1 pam_opie.c
--- pam_opie.c	2000/04/17 00:14:42	1.1
+++ pam_opie.c	2000/08/28 22:40:35
@@ -79,7 +79,7 @@
 		opieunlock();
 		return retval;
 	}
-	if (response[0] == '\0' && !(options & PAM_OPT_ECHO_PASS)) {
+	if (response[0] == '\0' && (options & PAM_OPT_ECHO_PASS)) {
 		options |= PAM_OPT_ECHO_PASS;
 		snprintf(prompt, sizeof prompt,
 			 "%s\nPassword [echo on]: ", challenge);

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->kris 
Responsible-Changed-By: sheldonh 
Responsible-Changed-When: Tue Aug 29 01:57:31 PDT 2000 
Responsible-Changed-Why:  
Kris, you committed Jim's pam_opie.c.  The patch seems to 
make sense.  Could you take a look or coordinate with Jim? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20909 

From: Michael Kiernan <mkiernan@avantgo.com>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/20909: The test for the echo_pass option is backwards.
Date: Tue, 29 Aug 2000 11:06:23 -0700

 My apologies for not drinking more coffee before submitting my report, but
 the patch I sent is wrong.  I didn't describe the exact nature of the
 problem--please let me clarify...
 
 The pam_opie module doesn't handle the echo_pass PAM option properly.  The 
 module always allows password echoing at the second prompt if the user types
 <return> at the first prompt.  If you add "echo_pass" as an option for the
 module in /etc/pam.conf, it will echo the password at both prompts.  Correct 
 me if I'm wrong, but my understanding is that under normal conditions
 password echo is supposed to be off unless the "echo_pass" option is 
 specified.
 
 The new patch (included below) implements the following behavior:  the
 first prompt never echos the password, but if the user types <return> and
 "echo_pass" is set in pam.conf, a second prompt will be displayed that
 echos the password.
 
 Thanks,
 
 Mike
 
 
 Index: pam_opie.c
 ===================================================================
 RCS file: /sbox/freebsd/cvs/root/src/lib/libpam/modules/pam_opie/pam_opie.c,v
 retrieving revision 1.1
 diff -u -r1.1 pam_opie.c
 --- pam_opie.c	2000/04/17 00:14:42	1.1
 +++ pam_opie.c	2000/08/29 18:01:29
 @@ -74,13 +74,12 @@
  	if (opiechallenge(&opie, (char *)user, challenge) != 0)
  		return PAM_AUTH_ERR;
  	snprintf(prompt, sizeof prompt, "%s\nPassword: ", challenge);
 -	if ((retval = pam_get_pass(pamh, &response, prompt, options)) !=
 -	    PAM_SUCCESS) {
 +	if ((retval = pam_get_pass(pamh, &response, prompt,
 +	    (options & ~PAM_OPT_ECHO_PASS))) != PAM_SUCCESS) {
  		opieunlock();
  		return retval;
  	}
 -	if (response[0] == '\0' && !(options & PAM_OPT_ECHO_PASS)) {
 -		options |= PAM_OPT_ECHO_PASS;
 +	if (response[0] == '\0' && (options & PAM_OPT_ECHO_PASS)) {
  		snprintf(prompt, sizeof prompt,
  			 "%s\nPassword [echo on]: ", challenge);
  		if ((retval = pam_get_pass(pamh, &response, prompt,
 
 
 
 
 

From: Kris Kennaway <kris@FreeBSD.org>
To: Michael Kiernan <mkiernan@avantgo.com>
Cc: freebsd-gnats-submit@freebsd.org, bloom@acm.org
Subject: Re: bin/20909: The test for the echo_pass option is backwards.
Date: Fri, 1 Sep 2000 19:00:31 -0700 (PDT)

 On Tue, 29 Aug 2000, Michael Kiernan wrote:
 
 >  The pam_opie module doesn't handle the echo_pass PAM option properly.  The 
 >  module always allows password echoing at the second prompt if the user types
 >  <return> at the first prompt.  If you add "echo_pass" as an option for the
 >  module in /etc/pam.conf, it will echo the password at both prompts.  Correct 
 >  me if I'm wrong, but my understanding is that under normal conditions
 >  password echo is supposed to be off unless the "echo_pass" option is 
 >  specified.
 
 I think this is valid behaviour: it accords with the behaviour of other
 OTP utilities. The reason it echos on the second attempt is because
 (depending on how it's set up) you can either log in with a unix password,
 or a one time password (that is echoed back to you so you can confirm the
 passphrase) by just pressing enter the first time. echo_pass is intended
 for when you want it to always echo the passphrase because the utility
 doesnt use non-OTP authentication.
 
 Kris
 
 --
 In God we Trust -- all others must submit an X.509 certificate.
     -- Charles Forsythe <forsythe@alum.mit.edu>
 
 

From: Michael Kiernan <mkiernan@avantgo.com>
To: Kris Kennaway <kris@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org, bloom@acm.org
Subject: Re: bin/20909: The test for the echo_pass option is backwards. 
Date: Tue, 05 Sep 2000 12:01:33 -0700

 Hello Kris,
 
 You wrote:
 > I think this is valid behaviour: it accords with the behaviour of other
 > OTP utilities. The reason it echos on the second attempt is because
 > (depending on how it's set up) you can either log in with a unix password,
 > or a one time password (that is echoed back to you so you can confirm the
 > passphrase) by just pressing enter the first time. echo_pass is intended
 > for when you want it to always echo the passphrase because the utility
 > doesnt use non-OTP authentication.
 
 I had assumed that the echo_pass option was meant to alter the behavior from 
 echoing turned completely off to echoing turned on only for the second prompt. 
 Thank you for clarifying this.
 
 Mike
 
 
 

From: Jim Bloom <bloom@acm.org>
To: Michael Kiernan <mkiernan@avantgo.com>
Cc: Kris Kennaway <kris@FreeBSD.org>,
	freebsd-gnats-submit@FreeBSD.org
Subject: Re: bin/20909: The test for the echo_pass option is backwards.
Date: Tue, 05 Sep 2000 21:05:25 -0400

 I agree with Kris that the behaviour is as designed.  It should agree with
 pam_skey (one of the other OTP utilities) upon which this module was based.
 
 Kris, it sounds like Michael accepts the explanation (according to his
 subsequent e-mail) and this PR can be closed.
 
 Jim Bloom
 bloom@acm.org
 
 
 Kris Kennaway wrote:
 > 
 > On Tue, 29 Aug 2000, Michael Kiernan wrote:
 > 
 > >  The pam_opie module doesn't handle the echo_pass PAM option properly.  The
 > >  module always allows password echoing at the second prompt if the user types
 > >  <return> at the first prompt.  If you add "echo_pass" as an option for the
 > >  module in /etc/pam.conf, it will echo the password at both prompts.  Correct
 > >  me if I'm wrong, but my understanding is that under normal conditions
 > >  password echo is supposed to be off unless the "echo_pass" option is
 > >  specified.
 > 
 > I think this is valid behaviour: it accords with the behaviour of other
 > OTP utilities. The reason it echos on the second attempt is because
 > (depending on how it's set up) you can either log in with a unix password,
 > or a one time password (that is echoed back to you so you can confirm the
 > passphrase) by just pressing enter the first time. echo_pass is intended
 > for when you want it to always echo the passphrase because the utility
 > doesnt use non-OTP authentication.
 
State-Changed-From-To: open->closed 
State-Changed-By: kris 
State-Changed-When: Sat Sep 16 22:48:43 PDT 2000 
State-Changed-Why:  
The submission has been analyzed and determined to be correct 
behaviour. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=20909 
>Unformatted:
