Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 24 Oct 2004 10:18:39 -0500
From:      listmail <listmail@Bomgardner.net>
To:        "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org>
Subject:   sshd STILL not using one time passwords.
Message-ID:  <417BC7CF.3040206@Bomgardner.net>
next in thread | raw e-mail | index | archive | help 
Thanks to all who have patiently answered my previous questions.
I've got another one.

I'm using 5.2.1. My logs show attempts to break into my system via ssh, 
telnet, and ftp (I use strong passwords, thankfully, and no common user 
accounts like admin, guest, and so on) and so I'm trying to tighten 
security. I have run into a problem, however - I've set things up so 
only two accounts can connect via ssh (telnet disabled outside the local 
net) and I've started using opie. However, ssh will not recognize and 
use opie. Local telnet does, as does ftpd, but not sshd. The list 
archives has a thread that deals with the reverse problem (i.e. sshd 
prompting for challenge response and not using passwords), but that 
hasn't been any help here.
I've included sshd_config and /etc/pam.d/sshd. I've left out all 
commented out lines for brevity.

 From /etc/sshd_config:
-----------------------------------------

AuthorizedKeysFile      .ssh/authorized_keys  (Not sure how this got 
uncommented)
AllowGroups grp1
PasswordAuthentication no
ChallengeResponseAuthentication yes

Subsystem   sftp  /usr/libexec/sftp-server


...... All other items commented out
=========================================

 From /etc/pam.d/sshd:
--------------------------------------------------

# auth

auth        required    pam_nologin.so          no_warn
auth        sufficient  pam_opie.so       no_warn no_fake_prompts
auth        requisite   pam_opieaccess.so no_warn allow_local


# account
account           required    pam_login_access.so
account           required    pam_unix.so

# session
session           required    pam_permit.so

# password
#password   sufficient  pam_krb5.so       no_warn try_first_pass
#password   required    pam_unix.so       no_warn try_first_pass

=======================================

If I read the handbook on SSH and the paper on PAM correctly, this 
should be working.
Anyone have any idea why it might not be? What have I managed to screw 
up this time?

thanx
Gene

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?417BC7CF.3040206>