LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Setting up OTP for SSH

[ILUG] Setting up OTP for SSH

kevin lyda kevin at ie.suberic.net
Mon Aug 22 14:21:46 IST 2005 

On Mon, Aug 22, 2005 at 01:53:44PM +0100, Stephen Shirley wrote:
> I use pilOTP for palmos: 
> http://astro.uchicago.edu/home/web/valdes/pilot/pilOTP/

thanks!

> Hurm. The above description is not accurate. This pam setup will allow 
> people to login with just their opie password. They will be prompted for 
> both passwords in all cases, and entering the correct opie password 
> means the other checks will be ignored. To get what you described above, 
> what you need is this:

right, i copied the wrong one.  what i meant was this one:

> 	auth requisite pam_unix.so nullok_secure
> 	auth required pam_opie.so
> 
> (the last line could equally be 'requisite' too, it doesn't make any 
> difference in this case as there are no further auth checks). This means 
> that if a person enter an incorrect pam_unix password, they'll 
> immediately get an authentiction error. Personally, i wouldn't recommend 

yes, and here's why that's a good thing:

    1. there are only so many otp's available from a given opiepasswd
       run.  by default there are 498 available.  i see ssh scans try root
       logins over hundreds of times a day.  conceivably i could be locked
       out of my root account w/o them ever knowing the root password.
    2. opie gives obviously fake responses back for invalid accounts or
       accounts not in opie.  if i ssh to bob at server, ssh will dutifully
       request a password even if bob doesn't exist.  in the above
       config, opie will never pop up and give away that bob is an
       invalid account.

> this approach. It allows insecure passwords to be guessed/tried fairly 
> easily. A better approach would be to just make both auth modules 
> 'required':
> 
> 	auth required pam_unix.so nullok_secure
> 	auth required pam_opie.so

i initially had it this way.  i changed it to the above setting for the
reasons given.

> >        auth required pam_unix.so nullok_secure
> >        auth sufficient pam_opie.so
> >        auth required pam_deny.so
> 
> Again, that's not quite correct. The appropriate pam setup for what you 
> describe would be:
> 
> 	auth sufficient pam_unix.so nullok_secure
> 	auth sufficient pam_opie.so

again, i pasted wrong.  argh.

kevin

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell