Bug 237270 - pam_opieaccess does not support IPv6, or documentation is lacking
Summary: pam_opieaccess does not support IPv6, or documentation is lacking
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 11.2-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords: ipv6, needs-qa
Depends on:
Blocks:
 
Reported: 2019-04-14 02:13 UTC by Victor Sudakov
Modified: 2019-06-27 10:36 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Sudakov 2019-04-14 02:13:40 UTC
pam_opieaccess(8), opieaccess(5) say nothing about IPv6, this means either this module does not support IPv6, or the man pages are lacking IPv6 syntax and examples.
Comment 1 Victor Sudakov 2019-04-14 08:16:53 UTC
If someone provided me with an example how to add an IPv6 line to /etc/opieaccess, I would be happy to test if IPv6 support is working. 

I don't know however how to present an IPv6 network(s) in the "address netmask" format that is required there.
Comment 2 Victor Sudakov 2019-05-26 05:00:38 UTC
How can I up this one? It's really annoying not to be able to skip one-time passwords when logging in from a trusted IPv6-only host.
Comment 3 Bjoern A. Zeeb freebsd_committer 2019-05-26 11:40:02 UTC
It looks like all the way from contrib/opie to PAM there is no IPv6 support currently.
I have no idea if upstream's (NRL) opie project still exists.

It's likely someone has to sit down and fix/write the code.
Comment 4 Dag-Erling Smørgrav freebsd_committer 2019-05-27 18:44:53 UTC
OPIE is not quite up to 2019 standards of security or usability.  I would recommend using Google Authenticator or Yubikey / U2F instead.
Comment 5 Victor Sudakov 2019-05-29 05:14:15 UTC
(In reply to Dag-Erling Smørgrav from comment #4)

> I would recommend using Google Authenticator or Yubikey / U2F instead.

Are they integrated into FreeBSD or do you recommend integrating them?

Suppose we switch to them, shall I still be able to use a simple sheet of paper with pre-printed one-time keys on it, as I've done for years?
Comment 6 Dag-Erling Smørgrav freebsd_committer 2019-05-30 21:57:03 UTC
(In reply to Victor Sudakov from comment #5)
> Are they integrated into FreeBSD or do you recommend integrating them?

They're in ports.

> Suppose we switch to them, shall I still be able to use a simple sheet of
> paper with pre-printed one-time keys on it, as I've done for years?

No, but you'll have something that's actually secure.
Comment 7 Victor Sudakov 2019-06-02 01:21:56 UTC
(In reply to Dag-Erling Smørgrav from comment #6)
> No, but you'll have something that's actually secure.

If I understand correctly, one depends on some Google app for smartphone, and the other on some hardware device you need to purchase. These are not something I'd rather use in a freeware OS for PC.

The OPIE system may be less secure (why? it's simple enough. Because of md5 only?) but at least it's self-sufficient. Why would I trust third party products to authenticate me to my own FreeBSD box?
Comment 8 Dag-Erling Smørgrav freebsd_committer 2019-06-03 14:39:19 UTC
Google Authenticator is not tied to Google.  It is an open standard called OATH (RFC 4226 and 6238).  It is commonly referred to as Google Authenticator because they were the among the first to use make widespread use of it and to release an open source implementation, but you can get hardware tokens that implement RFC 6238 (very commonly used for Internet banking; I have one in my pocket right now), or you can use a wide variety of free software including FreeOTP, which is a Red Hat-sponsored fork of the old Google Authenticator app.  On the server side, you can use the security/pam_google_authenticator port, which is 100% open source.
Comment 9 Victor Sudakov 2019-06-16 06:52:16 UTC
(In reply to Dag-Erling Smørgrav from comment #8)
> you can use the security/pam_google_authenticator port

It turns out that this port has many dependencies (python and friends) which I find annoying.
Comment 10 Dag-Erling Smørgrav freebsd_committer 2019-06-17 16:21:28 UTC
Build-time, perhaps. Its only run-time dependency is libqrencode.
Comment 11 Victor Sudakov 2019-06-17 16:26:26 UTC
(In reply to Dag-Erling Smørgrav from comment #10)
> Build-time, perhaps. Its only run-time dependency is libqrencode.

png also
Comment 12 Victor Sudakov 2019-06-18 02:13:18 UTC
(In reply to Dag-Erling Smørgrav from comment #10)

Are you sure those 6-digit codes are a secure replacement to OTP, when used by themselves (not as an additional 2FA), but as the only password on untrusted terminals? I configured pam_google_authenticator.so as "sufficient" for auth, just like pam_opie.so.


PS you were right, no Python required at runtime. Sorry for my mistake.
Comment 13 Dag-Erling Smørgrav freebsd_committer 2019-06-24 16:33:58 UTC
The OATH HOTP / TOTP algorithm is stronger than OPIE. If you've been using OPIE as your only password, which you shouldn't, you'll be no worse off using OATH instead. But I would urge you to also implement some sort of rate limiting. You can use blacklistd(8) for services that support it (including sshd), or security/py-fail2ban for those that don't.
Comment 14 Victor Sudakov 2019-06-25 15:26:33 UTC
(In reply to Dag-Erling Smørgrav from comment #13)
> If you've been using OPIE as your only password, which you shouldn't

Who says I shouldn't? Isn't it configured as "sufficient" in the stock /etc/pam.d/sshd ?
Comment 15 Dag-Erling Smørgrav freebsd_committer 2019-06-26 20:02:19 UTC
(In reply to Victor Sudakov from comment #14)
> Isn't it configured as "sufficient" in the stock /etc/pam.d/sshd ?

Yes, for historical reasons: it was considered an adequate single factor 20+ years ago, so it was grandfathered in when we moved to PAM, and this decision was never revisited. But it is very weak, and I doubt there are many people still using it.

I considered adding support for a more modern algorithm, but it would require a much larger dictionary and / or much longer phrases. I should have removed it a long time ago; I will probably do so before 13.0.
Comment 16 Victor Sudakov 2019-06-27 10:36:48 UTC
(In reply to Dag-Erling Smørgrav from comment #15)
> But it is very weak, and I doubt there are many people still using it.

OPIE being the only OTP solution not depending on a third-party hardware gadget (even a mobile phone), and being mentioned in the Handbook, I'm afraid quite a few people may be still using it.

> I should have removed it a long time ago; I will probably do so before 13.0.

If you do, please don't forget to update the "13.3. One-time Passwords" chapter of the FreeBSD Handbook to some other OTP system.