On Fri, Aug 08, 2003 at 11:58:45AM -0500, Greg Norris
> On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote:
> > I have succesfully configued sshd to allow opie logons, without
> > disabling PrivSep, by configuring pam to use the libpam-opie
> > module for ssh.
> > In this case the user gets the normal password prompt though, and no
> > opie information to tell them what password they are upto.
> Could you post the configuration details? I've tried to do this a
> couple of times, but wasn't successful unless I disabled privilege
No worries. In /etc/pam.d/ssh I have:
auth required pam_nologin.so
auth required pam_env.so # 
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so # 
session optional pam_motd.so # 
session optional pam_mail.so standard noenv # 
session required pam_limits.so
password required pam_unix.so
It is very similar to the original /etc/pam.d/ssh. Note that using
this configuration does not change the logon prompt at all. So the user
has no clue that they can use an opie password, and no prompt for what
the seed of number they are up to is. They are simply prompted for a
password (assuming the ssh configuration allows that, and they haven't
used a key method for authentication). If they enter their normal
password it is accepted. If they enter the current opie password it is
The sshd_config follows:
Subsystem sftp /usr/lib/sftp-server
The man page says that UsePrivilegeSeparation defaults to yes.
assume that it is enabled, and that this information might be useful.