I occasionally have a need to connect to my home machine from untrusted systems, so I'm trying to configure ssh to use one-time passwords via libpam-opie. I started by commenting out the auth entry for pam_unix.so in /etc/pam.d/ssh, and adding one for pam_opie.so in it's place. So far so good... the keyboard-interactive method seems to work with opie, and it doesn't fall back normal password authentication.
During the course of testing, I noticed that the change had broken
ssh's built-in password authentication ("PasswordAuthentication yes" in
sshd_config). Can anyone explain why this occurs? My understanding
(obviously flawed ;-) was that ssh only uses the pam auth modules for
keyboard-interactive. I've gone through the documentation and done a
bit of googling, but the answer remains elusive...
This isn't a huge problem, as I'm most likely going to disable password
authentication anyway. But I'd really like to understand what's
occurring.
Thanx!
pgp00000.pgp
Description: PGP signature
