Re: recompile sshd with OPIE?

freebsd-security_at_auscert.org.au
Date: 08/16/05

  • Next message: Dag-Erling Smørgrav: "Re: recompile sshd with OPIE?"
    To: des@des.no (Dag-Erling Smørgrav)
    Date: Tue, 16 Aug 2005 14:32:00 +1000
    
    

    > freebsd-security@auscert.org.au writes:
    > > Can this be achieved within the regular system build process, or must I
    > > roll my own?
    >
    > You need to change src/crypto/openssh/config.h so it says
    >
    > /* #undef PAM */
    > #define SKEY 1
    > #define OPIE 1
    >
    > instead of
    >
    > #define PAM 1
    > /* #undef SKEY */
    > /* #undef OPIE */
    >
    > then rebuild world.

    This may sound like a really silly question, but how do I enable it?

    After performing the changes above, I installed with:

    cd /usr/src/secure/usr.sbin/sshd
    make cleandir; make cleandir
    make obj && make depend && make all install

    There's no man[5] sshd_config entry, but through trial and error I
    identified an option that doesn't cause an error: SkeyAuthentication yes

    I couldn't get any permutation of OpieAuthentication/UseOPIE/... to work.

    However, attempts to connect to the running server with SkeyAuthentication
    enabled still gives:

            Permission denied (publickey).

    This is after creating an opiekey for the user (works for sudo, so is
    functional), and with these options enabled (+ defaults where not noted)
    in sshd_config:

    Port 22
    Protocol 2
    ListenAddress 10.0.0.1
    LogLevel VERBOSE
    PermitRootLogin no
    StrictModes yes
    HostbasedAuthentication no
    IgnoreUserKnownHosts yes
    IgnoreRhosts yes
    ChallengeResponseAuthentication no
    SkeyAuthentication yes
    AllowTcpForwarding no
    X11Forwarding yes
    Banner /etc/issue

    Can you point me in the right direction please?

    thanks,
    -- Joel Hatton --
    Security Analyst | Hotline: +61 7 3365 4417
    AusCERT - Australia's national CERT | Fax: +61 7 3365 7031
    The University of Queensland | WWW: www.auscert.org.au
    Qld 4072 Australia | Email: auscert@auscert.org.au
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Dag-Erling Smørgrav: "Re: recompile sshd with OPIE?"