Date: Thu, 20 Apr 2006 15:05:23 -0700 From: "Ian A. Tegebo" <yontege@rescomp.berkeley.edu> To: Gabriel O'Brien <go@quay.net> Cc: freebsd-questions@freebsd.org Subject: Re: PAM/SSH/OPIE configuration without /etc/passwd Message-ID: <20060420220523.GH21507@rescomp.berkeley.edu> In-Reply-To: <44478640.8090307@quay.net> References: <44478640.8090307@quay.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 20, 2006 at 09:01:52AM -0400, Gabriel O'Brien wrote: > My goal is to have SSH allow authorized_keys and OPIE authentication but > deny all other forms of authentication. Obviously I want authentication > to be denied if the user has neither configured as well. > > # auth > auth required pam_nologin.so no_warn > auth sufficient pam_opie.so no_warn no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local I'm looking at the last line there and the pam_opieaccess manpage: --- The pam_opieaccess module is used in conjunction with the pam_opie(8) PAM module to ascertain that authentication can proceed by other means (such as the pam_unix(8) module) even if OPIE authentication failed. --- It looks like that pam_opieaccess.so line might be allowing logins to continue. My thought would be that you should try this: |# auth |auth required pam_nologin.so no_warn |auth sufficient pam_opie.so no_warn no_fake_prompts |auth required pam_ssh.so try_first_pass |auth required pam_deny.so no_warn -- Ian Tegebo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060420220523.GH21507>