Re: configuring pam for openssh

From: Greg Norris (haphazard@kc.rr.com)
Date: 02/22/03

  • Next message: Greg Norris: "configuring pam for openssh"
    Date: Sat, 22 Feb 2003 09:06:03 -0600
    From: Greg Norris <haphazard@kc.rr.com>
    To: secureshell@securityfocus.com
    
    

    It looks like I included the wrong version of /etc/pam/ssh by mistake.
    Specifically, the pam_deny.so entry should *not* have been present...
    sorry for any confusion.

    On Fri, Feb 21, 2003 at 10:12:15PM -0600, Greg Norris wrote:
    > I occasionally have a need to connect to my home machine (Debian Linux,
    > openssh 3.5p1-4) from untrusted systems, so I'm trying to configure
    > openssh to use one-time passwords via libpam-opie. I started by
    > commenting out the auth entry for pam_unix.so in /etc/pam.d/ssh, and
    > adding one for pam_opie.so in it's place. So far so good... the
    > keyboard-interactive method seems to work with opie, and it doesn't
    > fall back normal password authentication.
    >
    > During the course of testing, I noticed that the change had broken the
    > built-in password authentication ("PasswordAuthentication yes" in
    > sshd_config). Can anyone explain why this occurs? My (obviously
    > flawed ;-) understanding was that openssh only uses the pam auth
    > modules for keyboard-interactive. I've gone through the pam
    > documentation and done some googling, but the answer remains elusive...
    >
    > This isn't a huge problem, as I'm most likely going to disable password
    > authentication anyway. But I'd really like to understand what's
    > occurring.
    >
    > Thanx!
    >
    > ----- </etc/pam.d/ssh> -----
    > auth required pam_nologin.so
    > auth required pam_env.so # [1]
    > auth required pam_opie.so
    > #auth required pam_unix.so
    > auth required pam_deny.so
    >
    > account required pam_unix.so
    >
    > session required pam_unix.so
    > session optional pam_motd.so # [1]
    > session optional pam_mail.so standard noenv # [1]
    > session required pam_limits.so
    >
    > password required pam_unix.so obscure min=8 md5
    > ----- <end /etc/pam.d/ssh> -----