LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Setting up OTP for SSH

[ILUG] Setting up OTP for SSH

Stephen Shirley diamond at skynet.ie
Mon Aug 22 13:53:44 IST 2005 

kevin lyda wrote:
> instructions I'll make a note for theirs.  In addition if anyone knows
> of Opie calculators (and links to them) for other devices that would be
> nifty.  Devices like Palms, Ipaqs, phones or other things would be nice.

I use pilOTP for palmos: 
http://astro.uchicago.edu/home/web/valdes/pilot/pilOTP/

<snip>
>     I configured Opie to first prompt for a normal password and if that
>     was successful, prompt for the OTP.  Once both are entered correctly
<snip>
>         auth required pam_unix.so nullok_secure
>         auth sufficient pam_opie.so
>         auth required pam_deny.so

Hurm. The above description is not accurate. This pam setup will allow 
people to login with just their opie password. They will be prompted for 
both passwords in all cases, and entering the correct opie password 
means the other checks will be ignored. To get what you described above, 
what you need is this:

	auth requisite pam_unix.so nullok_secure
	auth required pam_opie.so

(the last line could equally be 'requisite' too, it doesn't make any 
difference in this case as there are no further auth checks). This means 
that if a person enter an incorrect pam_unix password, they'll 
immediately get an authentiction error. Personally, i wouldn't recommend 
this approach. It allows insecure passwords to be guessed/tried fairly 
easily. A better approach would be to just make both auth modules 
'required':

	auth required pam_unix.so nullok_secure
	auth required pam_opie.so

That way the user will always be prompted for both passwords, and will 
only get a yea/nae after entering both. For more details on how the pam 
configuration works, see the control-flag section in 
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html#ss4.1

>     There are other ways to set up OTP.  Having to enter both passwords
>     is a pain so you can configure ssh to accept either a password or an
>     OTP.  
<snip>
>         auth required pam_unix.so nullok_secure
>         auth sufficient pam_opie.so
>         auth required pam_deny.so

Again, that's not quite correct. The appropriate pam setup for what you 
describe would be:

	auth sufficient pam_unix.so nullok_secure
	auth sufficient pam_opie.so

<snip>

Other than that, very well written piece.

Steve
-- 
"You are technically correct, the best kind of correct." -- the web

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell