[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

OTP telnet

Dear All
I write to you instead of submitting bug/wish because this is related
to more than one package. This letter is related to packages login
and telnetd and have security issues.

I would like to configure telnet to login only using One Time Passwords.
It looks simple: install opie packagaes (server, client and pam modules),
disable pasword login and add OTP login to /etc/pam.d/login. But there is one
problem: it also changes behavior of login from console. *getty spawns the same
/bin/login as telnetd and wants from user an OTP password, not a unix password.

Temporary sollution is:
auth       sufficient pam_unix.so
auth       sufficient pam_opie.so
auth       required   pam_deny.so
(as described in libpam-opie)
but it still allows users to login via telnet using unix password.

I have an idea for discussion: is it possible to create two /bin/login
instances (i.e. /bin/login and /bin/login-telnet) which differs only
by used PAM entry? There could be also one /bin/login symlinked
as /bin/login-sth.
If called as /bin/login login entry in PAM is checked. If called as
/bin/login-sth sth entry is checked.

It would also require changes in telnetd code. New name/path of login program
must be hardcoded. Also there should be an option to set this name/path from
command line.

If you think this idea is ok notify me, please. I will try to write patch for

	Artur Czechowski

Feel free to cite/forward this email if you find it useful.
Artur Czechowski
JMC Sp. z o.o.
e-mail: artur.czechowski@jmc.com.pl
Tel.: (0 22) 825 23 24, tel./fax.: (0 22) 825 95 58

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: