Re: configuring pam for openssh
From: Greg Norris (email@example.com)
- Previous message: Talley, Debra: "OpenSSH3.5p1: Still get the password prompt or error "Premission denied""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 22 Feb 2003 09:06:03 -0600 From: Greg Norris <firstname.lastname@example.org> To: email@example.com
It looks like I included the wrong version of /etc/pam/ssh by mistake.
Specifically, the pam_deny.so entry should *not* have been present...
sorry for any confusion.
On Fri, Feb 21, 2003 at 10:12:15PM -0600, Greg Norris wrote:
> I occasionally have a need to connect to my home machine (Debian Linux,
> openssh 3.5p1-4) from untrusted systems, so I'm trying to configure
> openssh to use one-time passwords via libpam-opie. I started by
> commenting out the auth entry for pam_unix.so in /etc/pam.d/ssh, and
> adding one for pam_opie.so in it's place. So far so good... the
> keyboard-interactive method seems to work with opie, and it doesn't
> fall back normal password authentication.
> During the course of testing, I noticed that the change had broken the
> built-in password authentication ("PasswordAuthentication yes" in
> sshd_config). Can anyone explain why this occurs? My (obviously
> flawed ;-) understanding was that openssh only uses the pam auth
> modules for keyboard-interactive. I've gone through the pam
> documentation and done some googling, but the answer remains elusive...
> This isn't a huge problem, as I'm most likely going to disable password
> authentication anyway. But I'd really like to understand what's
> ----- </etc/pam.d/ssh> -----
> auth required pam_nologin.so
> auth required pam_env.so # 
> auth required pam_opie.so
> #auth required pam_unix.so
> auth required pam_deny.so
> account required pam_unix.so
> session required pam_unix.so
> session optional pam_motd.so # 
> session optional pam_mail.so standard noenv # 
> session required pam_limits.so
> password required pam_unix.so obscure min=8 md5
> ----- <end /etc/pam.d/ssh> -----