OTP telnet
Dear All
I write to you instead of submitting bug/wish because this is related
to more than one package. This letter is related to packages login
and telnetd and have security issues.
I would like to configure telnet to login only using One Time Passwords.
It looks simple: install opie packagaes (server, client and pam modules),
disable pasword login and add OTP login to /etc/pam.d/login. But there is one
problem: it also changes behavior of login from console. *getty spawns the same
/bin/login as telnetd and wants from user an OTP password, not a unix password.
Temporary sollution is:
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so
(as described in libpam-opie)
but it still allows users to login via telnet using unix password.
I have an idea for discussion: is it possible to create two /bin/login
instances (i.e. /bin/login and /bin/login-telnet) which differs only
by used PAM entry? There could be also one /bin/login symlinked
as /bin/login-sth.
If called as /bin/login login entry in PAM is checked. If called as
/bin/login-sth sth entry is checked.
It would also require changes in telnetd code. New name/path of login program
must be hardcoded. Also there should be an option to set this name/path from
command line.
If you think this idea is ok notify me, please. I will try to write patch for
it.
Regards
Artur Czechowski
Disclaimer:
Feel free to cite/forward this email if you find it useful.
--
Artur Czechowski
JMC Sp. z o.o.
e-mail: artur.czechowski@jmc.com.pl
Tel.: (0 22) 825 23 24, tel./fax.: (0 22) 825 95 58
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: