From nobody@FreeBSD.org  Sun Mar 26 22:10:58 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6FD8816A420
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 26 Mar 2006 22:10:58 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3B23143D46
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 26 Mar 2006 22:10:58 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k2QMAvan050733
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 26 Mar 2006 22:10:57 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k2QMAvvq050730;
	Sun, 26 Mar 2006 22:10:57 GMT
	(envelope-from nobody)
Message-Id: <200603262210.k2QMAvvq050730@www.freebsd.org>
Date: Sun, 26 Mar 2006 22:10:57 GMT
From: Juan Francisco Rodriguez Hervella <juan.fco.rodriguez@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pam_opie module option without "no_fake_prompts" is not useful
X-Send-Pr-Version: www-2.3

>Number:         94978
>Category:       kern
>Synopsis:       [pam] pam_opie module option without "no_fake_prompts" is not useful
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun Mar 26 22:20:11 GMT 2006
>Closed-Date:    
>Last-Modified:  Sun Mar 26 22:33:04 GMT 2006
>Originator:     Juan Francisco Rodriguez Hervella
>Release:        FreeBSD-6.0-RELEASE #0
>Organization:
Alma Technologies
>Environment:
FreeBSD-6.0
>Description:
It's very easy to know if the account is not using opie passwords even if the
option "no_fake_prompts" is remove fromt the pam_opie configuration,
because the challenge varies randomly
every time you try to log in, even when you fail.

My concern is that "no_fake_prompts" is made an option, meaning it is
not the default behaviour....the default behaviour should be the
more secure....but even without "no_fake_prompts" the attacker
can find out that the user account is not using opie in a very easy
way.

So in my humble opinion it is not enough to generate random opie challenges for accounts
with opie disabled. Opie system should be able to issue the same challenge
even for users with opie not enabled.

Do you understand my concern ? am I right ?
Is this diffiuclt to implement ? 
my answer to all these questions is.... I don't know :)

>How-To-Repeat:
enable opie passwords with "opiepasswd" command on a specific account.
Then remove the option "no_fake_prompts" of /etc/pam.d/system.
Finally try to log into an account without opie, without success a couple of times, 
and you will find out that the challenge varies very randomly...which suggests opie
is not being used actually, because with opie enabled, if you fail to log in, the
same challenge will be sent to you over and over....and if you've got success,
the challenge will be decremented by one....
>Fix:

>Release-Note:
>Audit-Trail:
>Unformatted:
