AW: Setting up Safeword auth with sshd

Debian-User office at thinktank.at
Thu Jun 3 12:01:13 UTC 2004 

Safeword seems to work perfect with ssh 3.4(.x). AFAIK the problems
started with ssh 3.6 (and later versions still don't work) - that's
probably one of the reasons why it is still in debian's "testing"
distribution ... (3.4 is the latest "stable" version)

The problem has been reported to securecomputing and I hope that they
work on a fix (since version 1.2 of the solaris-pam-module was released
recently, I have some hope that this could happen ...) - fixing every
new pam-package/upgrade doesn't seem to be an option for many of us!

if you try to make it work with ssh 3.4 it's quite simple (at least on a
debian system):

- make sure that you can access that machine even if ssh stops
working!!! (don't drop your current ssh-session until you are a 100%
sure that everything works as expected or login locally to test that you
don't need ssh - just in case anything goes wrong)
- copy "pam_safeword.so.1" to "/lib/security"
- edit /etc/pam.d/ssh to meet your needs
 for example (only the auth section is shown here!):
#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_env.so # [1]
auth       sufficient   pam_unix.so
auth       required     pam_safeword.so.1 try_first_pass
#auth       required     pam_safeword.so.1

(with this configuration you can give a fixed password to certain users
and still use safeword for others)
If you want to use SAFEWORD ONLY then DISABLE the pam_unix.so and the
first pam_safeword.so.1 lines and ENABLE the last pam_safeword.so.1 line
- I don't know if it would work with only commenting out the pam_unix.so
line since I have no idea what happens with the pam-switch
"try_first_pass" when there is no pam_unix.so before ...

- copy "pam_safeword.cfg" to the "/etc" directory and edit it to meet
your needs
- make sure that the ssh-box and the Safeword-Server can communicate
without problems! (firewall rules!) 
- restart ssh (just to make sure ...)

HTH,
Alexander





> -----Ursprüngliche Nachricht-----
> Von: pam-list-bounces at redhat.com 
> [mailto:pam-list-bounces at redhat.com] Im Auftrag von Darren Tucker
> Gesendet: Donnerstag, 03. Juni 2004 03:08
> An: Pluggable Authentication Modules
> Betreff: Re: Setting up Safeword auth with sshd
> 
> 
> Henke Larsson wrote:
> > I'm kind of new to pam authentication and I would need some 
> help with 
> > setting up Safeword authentication with sshd.
> > 
> > Is it enough to edit the /etc/pam.d/sshd file or do I need 
> to change 
> > something else? /etc/init.d/system-auth?
> 
> If you're referring to SecureComputing pam_safeword.so then that is 
> reported to not work with OpenSSH's sshd:
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107784259324428
> 
> -- 
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
>      Good judgement comes with experience. Unfortunately, the 
> experience
> usually comes from bad judgement.
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>

More information about the Pam-list mailing list