Re: ssh + opie?
On Thu, Aug 07, 2003 at 10:55:16PM -0700, Mark Ferlatte wrote: > Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: > > I tried to set this up again recently on another machine, and found that > > privelege separation breaks this functionality. Does anyone know of a > > workaround to provide similar functionality? > > I think you have to turn off PrivSep to make this work. > > M I have succesfully configued sshd to allow opie logons, without disabling PrivSep, by configuring pam to use the libpam-opie module for ssh. In this case the user gets the normal password prompt though, and no opie information to tell them what password they are upto. Geoff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: > I tried to set this up again recently on another machine, and found that > privelege separation breaks this functionality. Does anyone know of a > workaround to provide similar functionality? I think you have to turn off PrivSep to make this work. M pgp0.pgp Description: PGP signature
Re: ssh + opie?
On Fri, Aug 08, 2003 at 01:36:06AM -0400, Bradley Alexander wrote: I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? Short answer: use a newer version of ssh. Long answer: libpam-opie works fine today if you set "privilegeseperation no" and "pamauthenticationviakbdint yes" in your sshd_config file. The downside to doing that is that you increase your exposure in the event of certain ssh exploits. There are patches to ssh that allow kbdint to work with privsep, and I think that they are currently in the ssh cvs tree. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote: > I have succesfully configued sshd to allow opie logons, without > disabling PrivSep, by configuring pam to use the libpam-opie > module for ssh. > In this case the user gets the normal password prompt though, and no > opie information to tell them what password they are upto. Could you post the configuration details? I've tried to do this a couple of times, but wasn't successful unless I disabled privilege separation. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
Which opens up a whole 'nother can of security worms...Is anyone maintaining opie or s/key? Or for that matter, can something like this even be worked around? On Thu, 7 Aug 2003 22:55:16 -0700 Mark Ferlatte <[EMAIL PROTECTED]> wrote: > Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: > > I tried to set this up again recently on another machine, and found > > that privelege separation breaks this functionality. Does anyone know > > of a workaround to provide similar functionality? > > I think you have to turn off PrivSep to make this work. > > M > -- --Brad = Bradley M. Alexander| gTLD SysAdmin, Security Engineer| storm [at] tux.org = Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 = Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. --Rich Cook -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
On Fri, Aug 08, 2003 at 11:58:45AM -0500, Greg Norris wrote: > On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote: > > I have succesfully configued sshd to allow opie logons, without > > disabling PrivSep, by configuring pam to use the libpam-opie > > module for ssh. > > In this case the user gets the normal password prompt though, and no > > opie information to tell them what password they are upto. > > Could you post the configuration details? I've tried to do this a > couple of times, but wasn't successful unless I disabled privilege > separation. No worries. In /etc/pam.d/ssh I have: #%PAM-1.0 auth required pam_nologin.so auth required pam_env.so # [1] auth sufficient pam_unix.so auth sufficient pam_opie.so auth required pam_deny.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionoptional pam_lastlog.so # [1] sessionoptional pam_motd.so # [1] sessionoptional pam_mail.so standard noenv # [1] sessionrequired pam_limits.so password required pam_unix.so It is very similar to the original /etc/pam.d/ssh. Note that using this configuration does not change the logon prompt at all. So the user has no clue that they can use an opie password, and no prompt for what the seed of number they are up to is. They are simply prompted for a password (assuming the ssh configuration allows that, and they haven't used a key method for authentication). If they enter their normal password it is accepted. If they enter the current opie password it is accepted. The sshd_config follows: Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication yes PAMAuthenticationViaKbdInt no X11Forwarding yes X11DisplayOffset 10 PrintMotd no KeepAlive yes Subsystem sftp/usr/lib/sftp-server The man page says that UsePrivilegeSeparation defaults to yes. So I assume that it is enabled, and that this information might be useful. Cheers, Geoff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ssh + opie?
On Fri, Aug 08, 2003 at 11:58:45AM -0500, Greg Norris wrote: > On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote: > > I have succesfully configued sshd to allow opie logons, without > > disabling PrivSep, by configuring pam to use the libpam-opie > > module for ssh. > > In this case the user gets the normal password prompt though, and no > > opie information to tell them what password they are upto. > > Could you post the configuration details? I've tried to do this a > couple of times, but wasn't successful unless I disabled privilege > separation. No worries. In /etc/pam.d/ssh I have: #%PAM-1.0 auth required pam_nologin.so auth required pam_env.so # [1] auth sufficient pam_unix.so auth sufficient pam_opie.so auth required pam_deny.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionoptional pam_lastlog.so # [1] sessionoptional pam_motd.so # [1] sessionoptional pam_mail.so standard noenv # [1] sessionrequired pam_limits.so password required pam_unix.so It is very similar to the original /etc/pam.d/ssh. Note that using this configuration does not change the logon prompt at all. So the user has no clue that they can use an opie password, and no prompt for what the seed of number they are up to is. They are simply prompted for a password (assuming the ssh configuration allows that, and they haven't used a key method for authentication). If they enter their normal password it is accepted. If they enter the current opie password it is accepted. The sshd_config follows: Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no PasswordAuthentication yes PAMAuthenticationViaKbdInt no X11Forwarding yes X11DisplayOffset 10 PrintMotd no KeepAlive yes Subsystem sftp/usr/lib/sftp-server The man page says that UsePrivilegeSeparation defaults to yes. So I assume that it is enabled, and that this information might be useful. Cheers, Geoff
Re: ssh + opie?
On Fri, Aug 08, 2003 at 04:21:50PM +1000, Geoff Crompton wrote: > I have succesfully configued sshd to allow opie logons, without > disabling PrivSep, by configuring pam to use the libpam-opie > module for ssh. > In this case the user gets the normal password prompt though, and no > opie information to tell them what password they are upto. Could you post the configuration details? I've tried to do this a couple of times, but wasn't successful unless I disabled privilege separation.
Re: ssh + opie?
On Fri, Aug 08, 2003 at 01:36:06AM -0400, Bradley Alexander wrote: I tried to set this up again recently on another machine, and found that privelege separation breaks this functionality. Does anyone know of a workaround to provide similar functionality? Short answer: use a newer version of ssh. Long answer: libpam-opie works fine today if you set "privilegeseperation no" and "pamauthenticationviakbdint yes" in your sshd_config file. The downside to doing that is that you increase your exposure in the event of certain ssh exploits. There are patches to ssh that allow kbdint to work with privsep, and I think that they are currently in the ssh cvs tree. Mike Stone
Re: ssh + opie?
On Thu, Aug 07, 2003 at 10:55:16PM -0700, Mark Ferlatte wrote: > Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: > > I tried to set this up again recently on another machine, and found that > > privelege separation breaks this functionality. Does anyone know of a > > workaround to provide similar functionality? > > I think you have to turn off PrivSep to make this work. > > M I have succesfully configued sshd to allow opie logons, without disabling PrivSep, by configuring pam to use the libpam-opie module for ssh. In this case the user gets the normal password prompt though, and no opie information to tell them what password they are upto. Geoff
Re: ssh + opie?
Which opens up a whole 'nother can of security worms...Is anyone maintaining opie or s/key? Or for that matter, can something like this even be worked around? On Thu, 7 Aug 2003 22:55:16 -0700 Mark Ferlatte <[EMAIL PROTECTED]> wrote: > Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: > > I tried to set this up again recently on another machine, and found > > that privelege separation breaks this functionality. Does anyone know > > of a workaround to provide similar functionality? > > I think you have to turn off PrivSep to make this work. > > M > -- --Brad = Bradley M. Alexander| gTLD SysAdmin, Security Engineer| storm [at] tux.org = Key fingerprints: DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 = Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. --Rich Cook
Re: ssh + opie?
Bradley Alexander said on Fri, Aug 08, 2003 at 01:36:06AM -0400: > I tried to set this up again recently on another machine, and found that > privelege separation breaks this functionality. Does anyone know of a > workaround to provide similar functionality? I think you have to turn off PrivSep to make this work. M pgpINpvAJCRYr.pgp Description: PGP signature
