AW: Setting up Safeword auth with sshd
Debian-User
office at thinktank.at
Thu Jun 3 12:01:13 UTC 2004
Safeword seems to work perfect with ssh 3.4(.x). AFAIK the problems
started with ssh 3.6 (and later versions still don't work) - that's
probably one of the reasons why it is still in debian's "testing"
distribution ... (3.4 is the latest "stable" version)
The problem has been reported to securecomputing and I hope that they
work on a fix (since version 1.2 of the solaris-pam-module was released
recently, I have some hope that this could happen ...) - fixing every
new pam-package/upgrade doesn't seem to be an option for many of us!
if you try to make it work with ssh 3.4 it's quite simple (at least on a
debian system):
- make sure that you can access that machine even if ssh stops
working!!! (don't drop your current ssh-session until you are a 100%
sure that everything works as expected or login locally to test that you
don't need ssh - just in case anything goes wrong)
- copy "pam_safeword.so.1" to "/lib/security"
- edit /etc/pam.d/ssh to meet your needs
for example (only the auth section is shown here!):
#%PAM-1.0
auth required pam_nologin.so
auth required pam_env.so # [1]
auth sufficient pam_unix.so
auth required pam_safeword.so.1 try_first_pass
#auth required pam_safeword.so.1
(with this configuration you can give a fixed password to certain users
and still use safeword for others)
If you want to use SAFEWORD ONLY then DISABLE the pam_unix.so and the
first pam_safeword.so.1 lines and ENABLE the last pam_safeword.so.1 line
- I don't know if it would work with only commenting out the pam_unix.so
line since I have no idea what happens with the pam-switch
"try_first_pass" when there is no pam_unix.so before ...
- copy "pam_safeword.cfg" to the "/etc" directory and edit it to meet
your needs
- make sure that the ssh-box and the Safeword-Server can communicate
without problems! (firewall rules!)
- restart ssh (just to make sure ...)
HTH,
Alexander
> -----Ursprüngliche Nachricht-----
> Von: pam-list-bounces at redhat.com
> [mailto:pam-list-bounces at redhat.com] Im Auftrag von Darren Tucker
> Gesendet: Donnerstag, 03. Juni 2004 03:08
> An: Pluggable Authentication Modules
> Betreff: Re: Setting up Safeword auth with sshd
>
>
> Henke Larsson wrote:
> > I'm kind of new to pam authentication and I would need some
> help with
> > setting up Safeword authentication with sshd.
> >
> > Is it enough to edit the /etc/pam.d/sshd file or do I need
> to change
> > something else? /etc/init.d/system-auth?
>
> If you're referring to SecureComputing pam_safeword.so then that is
> reported to not work with OpenSSH's sshd:
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107784259324428
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
> Good judgement comes with experience. Unfortunately, the
> experience
> usually comes from bad judgement.
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
More information about the Pam-list
mailing list