search for: pam_opi

Hi, did a search in the archives for "opie" and this is the most recent message on the topic I see: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98536878202858&w=2 Nigel, would you mind sending me the source for the module you've extracted from that other distribution? Also, if anyone is interested in looking at other OPIE PAM modules, here are two more: Andy

As an experiment I set up Challenge/response authentication on a Linux system with PAM using a pam_opie module (this module works fine with console logins and su). I can log into the box using the opie password, *but* it does not give me the challenge - which can make things a little tricky :-) I can well believe this might be a fault in the PAM pam_opie module I am using, so has anyone got Cha...

...positive. but it works fine in case of: mx2# opiekey -n5 1 vo6199 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: 0: OAK SEW CULT FALL AX WAND 1: BOUT AID SOOT BUT SIT BILK mx2# *** 3 *** pam_opie.so, the most interesting thing After successful login with 0 sequence number, trying to do it again (sequence number has been decreased, right?) mx2# ssh ssa@192.168.90.250 otp-md5 -1 (null) ext Password: Is it impossible to calculate response to '-1' so trying to use any pa...

...n that my problem is not with samba but it is with PAM? If anyone could help me with this problem it would be greatly appreciated!!! Thanks, Jeff Meyer The smb.conf and pam.conf files that I am using are below. pam.conf login auth sufficient pam_skey.so login auth sufficient pam_opie.so no_fake_prompts #login auth required pam_opieaccess.so login auth requisite pam_cleartext_pass_ok.so #login auth sufficient pam_kerberosIV.so try_first_pass #login auth sufficient pam_krb5.so try_first_pass login auth required pam_unix.so try_...

...a 'requisite' module fails. I find this strange as the pam 'requisite' is defined in the man pages as: requisite - failure of such a PAM results in the immediate termination of the authentication process; Here is what I did. I've setup opie for my account. I've configured pam_opieaccess (/etc/opieaccess) to allow my home network to use static passwords: permit 10.0.0.0 255.255.255.0 And in /etc/pam.conf I added: sshd auth required pam_opie.so sshd auth requisite pam_opieaccess.so sshd auth required /usr/lib/pam_krb5.so.1 try_first_pas...

...username = domain-name.username browsable = yes read only = no #public = yes printable = no writeable = yes Pam.conf auth required pam_nologin.so no_warn auth sufficient pam_winbind.so auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth requ...

I have been unable to use any challenge/response based pam module (eg. pam_opie.so) for ssh authentication, because the challenge (needed to compute an appropriate response) is never shown during login. do_pam_conversation() in auth-pam.c will not print any prompts while in the INITIAL_LOGIN state, queueing them for later printing. Should users be able to override this (us...

...in __read_nocancel () from /lib64/tls/libc.so.6 #1 0x000000552aadea26 in packet_get_int () from /usr/sbin/sshd #2 0x000000552aae3f75 in kex_input_kexinit () from /usr/sbin/sshd #3 0x000000552aacdb60 in kexgex_server () from /usr/sbin/sshd #4 0x0000002a96eb1c27 in converse () from /lib/security/pam_opie.so #5 0x0000002a96eb1d7a in pam_sm_authenticate () from /lib/security/pam_opie.so #6 0x0000002a957787aa in _pam_dispatch () from /lib64/libpam.so.0 #7 0x0000002a9577a182 in pam_authenticate () from /lib64/libpam.so.0 #8 0x000000552aace845 in kexgex_server () from /usr/sbin/sshd #9 0x000000552...

...9;s for users in the domain... What am I doing wrong ? Furthermore I went through this ordeal to allow domain users to authenticate with ssh. So I've modified the the /etc/pam.conf file like this (settings for ssh) : sshd auth sufficient pam_skey.so sshd auth sufficient pam_opie.so no_fake_prompts #this line is added by me sshd auth sufficient /usr/local/lib/pam_winbind.so #sshd auth requisite pam_opieaccess.so #sshd auth sufficient pam_kerberosIV.so try_first_pass #sshd auth sufficient pam_krb5.s...

...hidden. > > I have a working implementation on Linux, with source code taken from > http://www.inner.net/pub/opie/ > > There is also a (basic) PAM implementation for authentication - I've > not even attempted to see if that works with openssh > http://www.tho.org/~andy/pam_opie-0.21.tar.gz > > Unfortunately single use passwords seem to have fallen out of favour - > slightly strange when generation of the passwords is nice and easy now > with Palm devices and the like. > > Nigel. > Harondel J. Sibble Sibble Computer Consulting Creating solu...

...d /dev/null -s /bin/false %u delete user script = /usr/sbin/pw userdel %u ; delete user from group script = /usr/sbin/deluser %u %g delete group script = /usr/sbin/pw groupdel %g and here is my PAM stack for /etc/pam.d/system # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient p...

...e = Yes wide links = Yes [homes] comment = Home Directories read only = No browseable = No Here's the /etc/pam.d/system file: # # $FreeBSD: src/etc/pam.d/system,v 1.1.32.1.4.1 2010/06/14 02:09:06 kensmith Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so mkhomedir=yes #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn...

...OMAIN.UCSD.EDU # more /etc/nsswitch.conf group: files winbind group_compat: nis hosts: files dns networks: files passwd: files winbind passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files # more /etc/pam.d/sshd # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_winbind.so try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient...

...day, June 24, 2004 09:06 To: freebsd-security@freebsd.org Subject: RE: Opieaccess file, is this normal? Hi, Here is the content of /etc/pamd/ssh, it's actually the default, I didn't change it. auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass account required pam_unix.so session required pam_permit.so password...

...-u. Here are some relevent (I hope) configurations. Any help would be greatly appreciated. Regards, Mike # /etc/pam.d/sshd auth sufficient /usr/local/samba/lib/security/pam_winbind.so auth sufficient pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_unix.so no_warn try_first_pass account sufficient /usr/local/samba/lib/security/pam_winbind.so account required...

...in/bash My nsswitch.conf group: compat winbind group_compat: nis hosts: files dns winbind networks: files passwd: compat winbind passwd_compat: nis shells: files and finally my /etc/pam.d/sshd # auth auth required pam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required...

...in/bash My nsswitch.conf group: compat winbind group_compat: nis hosts: files dns winbind networks: files passwd: compat winbind passwd_compat: nis shells: files and finally my /etc/pam.d/sshd # auth auth required pam_nologin.so no_warn #auth sufficient pam_opie.so no_warn no_fake_prompts #auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required...

...etworks: files passwd: files winbind passwd_compat: nis shells: compat *****************copy end*********************** /etc/pam.d/system ****************copy start************************* # auth auth sufficient /usr/lib/pam_winbind.so try_first_pass auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required...

...penssh with --with-pam option Install samba Your smb.conf should be running in: security = domain And your /etc/pam.d/sshd should look like this: # auth auth sufficient pam_winbind.so auth sufficient pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_unix.so no_warn try_first_pass account sufficient pam_winbind.so account required pam_unix.so session...

...that the series was being decremented, but auth.log gives Feb 6 15:41:46 mabruk dovecot-auth: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=x.x.x.x user=micah ssh works fine with the same PAM settings (both include common-auth, which has:) auth sufficient pam_opie.so auth sufficient pam_unix.so nullok_secure auth required pam_deny.so -- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer... http://micah.cowan.name/