That's not paranoid, it's good sense. Rather, being paranoid is good
sense. Anyway...
There's rumored to be some docs already on using SecureID one-time
challenges with SSH, so I know it's possible. Have you checked the FAQ for
that?
If you want to use something more homegrown: Depending on your UNIX, the
file /etc/profile or /etc/csh.cshrc or something like that is run on all
logins before the user's own .profile, .cshrc, etc. See the man page for
login for more info. So yes, you should be able to add something to that
script and have it execute for everybody.
As for enforcing safe passwords, you can build the passwd program with
libcrack so that it will enforce strong passwords. If you work for an ISP
like I do, this isn't usually an option because normal people demand
easy-to-remember passwords...
--
Gregor Mosheh
[EMAIL PROTECTED]
Systems Admin, Humboldt Internet
707.825.4638
On Fri, 10 Dec 1999, Dorian Moore wrote:
> Hi all,
>
> This isn't directly SSH related - except for the fact that I can't see
> anyway of throwing back a different login prompt to different SSH
> clients, but it may be something someone here has come accross before,
> and I've been running searches for days without any response so here goes...
>
> Is it safe to put a secondary authorisation system (IE cryptocard or
> S/KEY challenge) into a script which is executed after login via ssh?
> I'm concerned about my users not choosing safe passwords (not matter how
> often I tell them to, or force changes, use cracklib etc.), and because
> it is an SSH based system with users connecting from various platforms
> it's not possible to instigate one as part of the initial login
> procedure.
>
> What I propose is that the user connect using their client of choice
> (Primarily Macintosh based, may be Windows, may be Linux/***BSD or
> several others...) and then is prompted by a script which runs the
> secondary authorisation with the one-time challenge.
>
> Obviously I'd need to stop people from changing the default shell somehow.
>
> Has anyone done this, or anything similair? Or can they point me anywhere?
>
> Or am I being incredibly paranoid?
>
> Thanks in advance for your suggestions.
>
> d.
>
> --
> Techie wanted, apply within : http://www.kleber.net/job.html
>
> Dorian Moore is property of Kleber Design Ltd. If found please contact Kleber
> by phone on +44 207 581 1362 or visit http://www.kleber.net for further details.
> You really shouldn't listen to anything he says... as it may just be an opinion
>
