Date: Mon, 11 Aug 2003 08:47:40 +1000
From: Geoff Crompton
Subject: Re: ssh + opie?

On Fri, Aug 08, 2003 at 11:58:45AM -0500, Greg Norris wrote:
> On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote:
> > I have succesfully configued sshd to allow opie logons, without
> > disabling PrivSep, by configuring pam to use the libpam-opie
> > module for ssh.
> > In this case the user gets the normal password prompt though, and no
> > opie information to tell them what password they are upto.
> Could you post the configuration details? I've tried to do this a
> couple of times, but wasn't successful unless I disabled privilege
> separation.

No worries. In /etc/pam.d/ssh I have:
auth required
auth required # [1]
auth sufficient
auth sufficient
auth required

account required

session required
session optional # [1]
session optional # [1]
session optional standard noenv # [1]
session required

password required

It is very similar to the original /etc/pam.d/ssh. Note that using
this configuration does not change the logon prompt at all. So the user
has no clue that they can use an opie password, and no prompt for what
the seed of number they are up to is. They are simply prompted for a
password (assuming the ssh configuration allows that, and they haven't
used a key method for authentication). If they enter their normal
password it is accepted. If they enter the current opie password it is

The sshd_config follows:

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
RhostsAuthentication no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes
PAMAuthenticationViaKbdInt no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
KeepAlive yes
Subsystem sftp /usr/lib/sftp-server

The man page says that UsePrivilegeSeparation defaults to yes. So I
assume that it is enabled, and that this information might be useful.