I write to you instead of submitting bug/wish because this is related
to more than one package. This letter is related to packages login
and telnetd and have security issues.
I would like to configure telnet to login only using One Time Passwords.
It looks simple: install opie packagaes (server, client and pam modules),
disable pasword login and add OTP login to /etc/pam.d/login. But there is one
problem: it also changes behavior of login from console. *getty spawns the same
/bin/login as telnetd and wants from user an OTP password, not a unix password.
Temporary sollution is:
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so
(as described in libpam-opie)
but it still allows users to login via telnet using unix password.
I have an idea for discussion: is it possible to create two /bin/login
instances (i.e. /bin/login and /bin/login-telnet) which differs only
by used PAM entry? There could be also one /bin/login symlinked
If called as /bin/login login entry in PAM is checked. If called as
/bin/login-sth sth entry is checked.
It would also require changes in telnetd code. New name/path of login program
must be hardcoded. Also there should be an option to set this name/path from
If you think this idea is ok notify me, please. I will try to write patch for
Feel free to cite/forward this email if you find it useful.
JMC Sp. z o.o.
Tel.: (0 22) 825 23 24, tel./fax.: (0 22) 825 95 58
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com