As an experiment I set up Challenge/response authentication on a Linux system with PAM using a pam_opie module (this module works fine with console logins and su). I can log into the box using the opie password, *but* it does not give me the challenge - which can make things a little tricky :-) I can well believe this might be a fault in the PAM pam_opie module I am using, so has anyone got Challenge/Response authentication working under PAM and with the challenge being given? If so what pam module are you using? Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ]
On Wed, 21 Mar 2001, Nigel Metheringham wrote:> As an experiment I set up Challenge/response authentication on a Linux > system with PAM using a pam_opie module (this module works fine with > console logins and su). > > I can log into the box using the opie password, *but* it does not give > me the challenge - which can make things a little tricky :-) > > I can well believe this might be a fault in the PAM pam_opie module I > am using, so has anyone got Challenge/Response authentication working > under PAM and with the challenge being given? If so what pam module > are you using?Try putting ChallengeResponseAuthentication yes in the server config and Protocol 2 PreferredAuthentications publickey, keyboard-interactive, password in the client config. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer
Hi Damien, djm at mindrot.org said:> ChallengeResponseAuthentication yes > in the server config and > Protocol 2 > PreferredAuthentications publickey, keyboard-interactive, password > in the client config.I must have expressed my question wrongly so getting you to grab the wrong end of the stick :-) I have the openssh part of the configuration apparently correct, and when I ssh to an appropriately set up account I get % ssh host Response: If I put the right response in it logs me in quite happily. However I am not getting the Challenge displayed to me.... which could well be down to the PAM module implementation as all the pam_opie modules I see appear to be quick hacks from people feeling their way round the PAM code. Anyone got a fully working pam_opie/pam_skey implementation they wish to point me at? Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ]