Date: Thu, 20 Apr 2006 09:01:52 -0400 From: Gabriel O'Brien <go@quay.net> To: freebsd-questions@freebsd.org Subject: PAM/SSH/OPIE configuration without /etc/passwd Message-ID: <44478640.8090307@quay.net>
next in thread | raw e-mail | index | archive | help
Hi there, I'm currently playing around with OPIE/PAM on 6.0-RELEASE-p7 and have managed to stump myself with what I thought would be a relatively simple setup... My goal is to have SSH allow authorized_keys and OPIE authentication but deny all other forms of authentication. Obviously I want authentication to be denied if the user has neither configured as well. For the record OPIE is working for authenticating su, and I can use it as an option for sshd logins so I don't think my problem lies there. I simply can't turn logins with /etc/passwd off and still use OPIE. Initially I thought it would be as simple as making sure that my sshd_config file was configured to use PAM and then commenting out the pam_unix line in /etc/pam.d/sshd: # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass However after playing around for a bit I realized that this opened up the system to logins without any authentication if the user didn't have OPIE configured at all (and the docs warn about ending a chain without a "required" policy line. So I tried replacing pam_unix with: auth required pam_deny.so no_warn However for some reason even if OPIE is available it still fails to authenticate using PAM so I guess I misunderstood how sufficient works (at least with respect to pam_deny in a chain) since I would expect it to break out of the chain if pam_opie passes which it should if the account has an entry in /etc/opiekeys. I've included my sshd_config below as well. Port 22 Protocol 2 AllowGroups ssh-users DenyGroups nologin PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin no UsePAM yes ChallengeResponseAuthentication yes PubkeyAuthentication yes StrictModes yes UseDNS yes UsePrivilegeSeparation yes X11Forwarding no TCPKeepAlive yes MaxAuthTries 3 MaxStartups 8:50:16 Compression delayed Banner /etc/ssh/sshd-login-banner Subsystem sftp /usr/libexec/sftp-server I've read the docs here: http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html I thought I understood them but, I'm sure that there's just something simple that I'm missing and I can't find any examples of somebody else who has used this exact configuration anywhere. This is my first venture in the land of PAM so any help would be greatly appreciated! cheers, Gabe -- Gabriel O'Brien email: go@quay.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44478640.8090307>