Hello folks, this looks about the only place I can find on issues dealing with the subject line. The message that got me posting is included below the line of *'s. Basically I've tried getting this working with Pam authentication and using the new login binary that comes with Opie 2.32. No joy. I am using RedHat 6.0 OpenSSH 2.3.0p1 Pam 0.66-18 I can get the opie challenge only on a console (no openssh), if I attempt to to include the opie_pam module in the /etc/pam.d/sshd file, all authentication fails and no login is possible. Has anyone come up with any workarounds. I had previously tried to get s/key working, but kept bumping up against the issue of s/key not supporting shadow passwords and the pam s/key module is a tad old.... Any suggestions other than abandoning the whole OTP and OpenSSH idea? Note I am not a list member, so please cc me. TIA *************MESSAGE FROM ARCHIVES***************> mouring at pconline.com said: > > If I knew of a S/Key library outside of the code in the OpenBSD tree > > I'd be happy to compile it up under Linux and see if I can mimic this > > problem. > > There is the OPIE project - which appears to now be defunct and well > hidden. > > I have a working implementation on Linux, with source code taken from > http://www.inner.net/pub/opie/ > > There is also a (basic) PAM implementation for authentication - I've > not even attempted to see if that works with openssh > http://www.tho.org/~andy/pam_opie-0.21.tar.gz > > Unfortunately single use passwords seem to have fallen out of favour - > slightly strange when generation of the passwords is nice and easy now > with Palm devices and the like. > > Nigel. >Harondel J. Sibble Sibble Computer Consulting Creating solutions for the small business and home computer user. help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com (604) 739-3709 (voice/fax) (604) 686-2253 (pager)
The S/Key listed in the 'INSTALL' file in the current snapshot points to a ported version of S/Key libraries from OpenBSD that is known to work with Redhat and shadowing. However it does not support PAM from my understanding. I'm unsure at this point if/when there will be support for advanced PAM features such as alternate authenication. - Ben On Sat, 2 Dec 2000, Harondel J. Sibble wrote:> Hello folks, this looks about the only place I can find on issues dealing > with the subject line. The message that got me posting is included below the > line of *'s. > > Basically I've tried getting this working with Pam authentication and using > the new login binary that comes with Opie 2.32. No joy. > > I am using > RedHat 6.0 > OpenSSH 2.3.0p1 > Pam 0.66-18 > > I can get the opie challenge only on a console (no openssh), if I attempt to > to include the opie_pam module in the /etc/pam.d/sshd file, all > authentication fails and no login is possible. Has anyone come up with any > workarounds. I had previously tried to get s/key working, but kept bumping up > against the issue of s/key not supporting shadow passwords and the pam s/key > module is a tad old.... > > > Any suggestions other than abandoning the whole OTP and OpenSSH idea? > > Note I am not a list member, so please cc me. > > TIA > > > *************MESSAGE FROM ARCHIVES*************** > > > > mouring at pconline.com said: > > > If I knew of a S/Key library outside of the code in the OpenBSD tree > > > I'd be happy to compile it up under Linux and see if I can mimic this > > > problem. > > > > There is the OPIE project - which appears to now be defunct and well > > hidden. > > > > I have a working implementation on Linux, with source code taken from > > http://www.inner.net/pub/opie/ > > > > There is also a (basic) PAM implementation for authentication - I've > > not even attempted to see if that works with openssh > > http://www.tho.org/~andy/pam_opie-0.21.tar.gz > > > > Unfortunately single use passwords seem to have fallen out of favour - > > slightly strange when generation of the passwords is nice and easy now > > with Palm devices and the like. > > > > Nigel. > > > > > > > Harondel J. Sibble > Sibble Computer Consulting > Creating solutions for the small business and home computer user. > help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com > (604) 739-3709 (voice/fax) (604) 686-2253 (pager) >
On Sat, 2 Dec 2000, Harondel J. Sibble wrote:> I can get the opie challenge only on a console (no openssh), if I > attempt to to include the opie_pam module in the /etc/pam.d/sshd > file, all authentication fails and no login is possible. Has > anyone come up with any workarounds. I had previously tried to > get s/key working, but kept bumping up against the issue of s/key > not supporting shadow passwords and the pam s/key module is a tad > old....I have just committed a patch from Nalin Dahyabhai which enables PAM to use KbdInteractive authentication, which will allow for this sort of challenge/response stuff. It will be in tomorrow morning's snapshot. To use it you need to add "KbdInteractiveAuthentication yes" to both your client and server configs. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | <djm at mindrot.org> | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org