[SOLVED] Re: openssh, pam and debian: how to configure ssh to use custom pam authentication module



Problem solved. All I had to do was to
enable ChallengeResponseAuthentication,
disable PasswordAuthentication and set UsePAM to yes.

On Sun, Mar 15, 2009 at 12:19 PM, Angelin Lalev <lalev.angelin@xxxxxxxxx> wrote:
Hi,

I want to install Debian "Lenny" server to be used from my students
from the computer labs of my university.
The labs have quite regularly monitored network infrastructure with
switches which support mac access lists.
Together with ssh that makes possibility of man in the middle and
eavesdropping attacks quite negligible.
Unfortunately, the main danger in the labs comes from the quite
liberal access to the operating system,
given to the students, which doesn't prevent effectively enough
installation of key loggers and trojaned versions
of some programs.

That's why I was thinking about using one-time password authentication
for my server (along with say write protected
usb flash with ssh client written on).

Directed by some postings on Debian mailing lists I found otpw package
and made it work for regular
logins by adding one simple line to pam.d confguration files.

auth    sufficient    pam_otpw.so

The problem is that no mather what pam.d file for sshd service says,
the sshd displays regular password
prompt at login instead of the "Enter password No XXX" which is needed
for pam_otpw.so to work properly.

There were some suggestions on the mailing lists how to deal with that
very problem on openssh 3.x,
but the modern version of openssh says the suggested options are depreciated.

Which is the way to invoke the proper authentication scheme in modern
versions of openssh?




Relevant Pages

  • RE: sendmail blocking
    ... the administrator I don't receive any NDRs. ... >> mail server, and the external world that acts as a mail ... Since Nick has been receiving this junk email for a year now ... marketing mailing lists. ...
    (RedHat)
  • Re: Free anti-spam software (was Re: Who should run a mail server?)
    ... our WebiMail Interface to the server allows the ... Mailing lists are probably also not so comon in ... >You also can't do some interesting things we require our mail server to do. ... >face it, almost all appliances out there run Linux or FreeBSD, ...
    (comp.mail.misc)
  • Announce: OpenSSH 4.2 released
    ... OpenSSH 4.2 has just been released. ... implementation and includes sftp client and server support. ...
    (SSH)
  • Re: GSSAPI SSH WIN 2003
    ... OpenSSH does not have this flexibility. ... server that does; it is one of the most long-standing inadequacies of most ... used publickey authentication, for the simple reasons that it's ... > group will get Service ticket for my HP-UX box. ...
    (comp.security.ssh)
  • Announce: OpenSSH 4.3 released
    ... OpenSSH 4.3 has just been released. ... implementation and includes sftp client and server support. ...
    (SSH)