Re: ssh + opie?

To: debian-security@lists.debian.org
Subject: Re: ssh + opie?
From: Geoff Crompton <geoff.crompton@bjhcontrols.com.au>
Date: Mon, 11 Aug 2003 08:47:40 +1000
Message-id: <[🔎] 20030810224740.GA1713@lovelace>
Mail-followup-to: Geoff Crompton <geoff.crompton@bjhcontrols.com.au>, debian-security@lists.debian.org
In-reply-to: <[🔎] 20030808165845.GA21878@glitch.localdomain>
References: <[🔎] 20030808013606.2730c72d.storm@tux.org> <[🔎] 20030808055516.GA48837@radix.cryptio.net> <[🔎] 20030808062150.GB28306@lovelace> <[🔎] 20030808165845.GA21878@glitch.localdomain>

On Fri, Aug 08, 2003 at 11:58:45AM -0500, Greg Norris wrote:
> On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote:
> >   I have succesfully configued sshd to allow opie logons, without
> > disabling PrivSep, by configuring pam to use the libpam-opie
> > module for ssh.
> >   In this case the user gets the normal password prompt though, and no
> > opie information to tell them what password they are upto.
> 
> Could you post the configuration details?  I've tried to do this a
> couple of times, but wasn't successful unless I disabled privilege
> separation.

  No worries. In /etc/pam.d/ssh I have:
#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_env.so # [1]
auth       sufficient     pam_unix.so
auth       sufficient     pam_opie.so
auth       required     pam_deny.so

account    required     pam_unix.so

session    required     pam_unix.so
session    optional     pam_lastlog.so # [1]
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so

password   required     pam_unix.so

  It is very similar to the original /etc/pam.d/ssh. Note that using
this configuration does not change the logon prompt at all. So the user
has no clue that they can use an opie password, and no prompt for what
the seed of number they are up to is. They are simply prompted for a
password (assuming the ssh configuration allows that, and they haven't
used a key method for authentication). If they enter their normal
password it is accepted. If they enter the current opie password it is
accepted.

The sshd_config follows:

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
RhostsAuthentication no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes
PAMAuthenticationViaKbdInt no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
KeepAlive yes
Subsystem	sftp	/usr/lib/sftp-server

  The man page says that UsePrivilegeSeparation defaults to yes. So I
assume that it is enabled, and that this information might be useful.

  Cheers,
  Geoff

Reply to:

References:
- ssh + opie?
  - From: Bradley Alexander <storm@tux.org>
- Re: ssh + opie?
  - From: Mark Ferlatte <ferlatte@cryptio.net>
- Re: ssh + opie?
  - From: Geoff Crompton <geoff.crompton@bjhcontrols.com.au>
- Re: ssh + opie?
  - From: Greg Norris <haphazard@kc.rr.com>

Prev by Date: DSA-361-2
Next by Date: Re: DSA-361-2
Previous by thread: Re: ssh + opie?
Next by thread: Re: ssh + opie?
Index(es):
- Date
- Thread