configuring pam for openssh

From: Greg Norris (haphazard@kc.rr.com)
Date: 02/22/03

  • Next message: Parsons, Rick: "RE: Lock Account" 
    Date: Fri, 21 Feb 2003 22:12:15 -0600
From: Greg Norris <haphazard@kc.rr.com>
To: secureshell@securityfocus.com

    I occasionally have a need to connect to my home machine (Debian Linux,
    openssh 3.5p1-4) from untrusted systems, so I'm trying to configure
    openssh to use one-time passwords via libpam-opie. I started by
    commenting out the auth entry for pam_unix.so in /etc/pam.d/ssh, and
    adding one for pam_opie.so in it's place. So far so good... the
    keyboard-interactive method seems to work with opie, and it doesn't
    fall back normal password authentication.

    During the course of testing, I noticed that the change had broken the
    built-in password authentication ("PasswordAuthentication yes" in
    sshd_config). Can anyone explain why this occurs? My (obviously
    flawed ;-) understanding was that openssh only uses the pam auth
    modules for keyboard-interactive. I've gone through the pam
    documentation and done some googling, but the answer remains elusive...

    This isn't a huge problem, as I'm most likely going to disable password
    authentication anyway. But I'd really like to understand what's
    occurring.

    Thanx!

    ----- </etc/pam.d/ssh> -----
    auth required pam_nologin.so
    auth required pam_env.so # [1]
    auth required pam_opie.so
    #auth required pam_unix.so
    auth required pam_deny.so

    account required pam_unix.so

    session required pam_unix.so
    session optional pam_motd.so # [1]
    session optional pam_mail.so standard noenv # [1]
    session required pam_limits.so

    password required pam_unix.so obscure min=8 md5
    ----- <end /etc/pam.d/ssh> -----

    Relevant Pages

    • Re: configuring pam for openssh
      ... > openssh to use one-time passwords via libpam-opie. ... > keyboard-interactive method seems to work with opie, ... > fall back normal password authentication. ... > flawed;-) understanding was that openssh only uses the pam auth ...
      (SSH)
    • Re: OpenSSH and md5
      ... If the problem is that password authentication doesn't work, ... - OpenSSH is compiled to use PAM, but you haven't configured PAM for SSH ... MD5 passwords ...
      (comp.security.ssh)
    • Re: Password authentication fails
      ... > password authentication with Secure Shell, ... *PICK* one, either OpenSSH or Secure Shell, if possible. ... RedHat has a chance to really test in newer OpenSSH releases. ...
      (comp.security.ssh)
    • Re: Difference between "PasswordAuthentication yes" and "AllowedAuthentication passwo
      ... >older version of cryptlib work. ... and password authentication with PAM. ... OpenSSH 3.8 or 3.9 and ask for "password" authentication, ... fudge the authentication type they're using, ...
      (comp.security.ssh)