sshd-opie

Date: Mon, 11 Aug 2003 08:47:40 +1000
From: Geoff Crompton geoff.crompton@bjhcontrols.com.au
Subject: Re: ssh + opie?
To: debian-security@lists.debian.org

On Fri, Aug 08, 2003 at 11:58:45AM -0500, Greg Norris wrote:
> On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote:
> > I have succesfully configued sshd to allow opie logons, without
> > disabling PrivSep, by configuring pam to use the libpam-opie
> > module for ssh.
> > In this case the user gets the normal password prompt though, and no
> > opie information to tell them what password they are upto.
>
> Could you post the configuration details? I've tried to do this a
> couple of times, but wasn't successful unless I disabled privilege
> separation.

No worries. In /etc/pam.d/ssh I have:
#%PAM-1.0
auth required pam_nologin.so
auth required pam_env.so # [1]
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so

account required pam_unix.so

session required pam_unix.so
session optional pam_lastlog.so # [1]
session optional pam_motd.so # [1]
session optional pam_mail.so standard noenv # [1]
session required pam_limits.so

password required pam_unix.so

It is very similar to the original /etc/pam.d/ssh. Note that using
this configuration does not change the logon prompt at all. So the user
has no clue that they can use an opie password, and no prompt for what
the seed of number they are up to is. They are simply prompted for a
password (assuming the ssh configuration allows that, and they haven't
used a key method for authentication). If they enter their normal
password it is accepted. If they enter the current opie password it is
accepted.

The sshd_config follows:

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
RhostsAuthentication no
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes
PAMAuthenticationViaKbdInt no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
KeepAlive yes
Subsystem sftp /usr/lib/sftp-server

The man page says that UsePrivilegeSeparation defaults to yes. So I
assume that it is enabled, and that this information might be useful.

Cheers,
Geoff