PAM/SSH/OPIE configuration without /etc/passwd
Gabriel O'Brien
go at quay.net
Thu Apr 20 13:01:58 UTC 2006
Hi there,
I'm currently playing around with OPIE/PAM on 6.0-RELEASE-p7 and have
managed to stump myself with what I thought would be a relatively simple
setup...
My goal is to have SSH allow authorized_keys and OPIE authentication but
deny all other forms of authentication. Obviously I want authentication
to be denied if the user has neither configured as well.
For the record OPIE is working for authenticating su, and I can use it
as an option for sshd logins so I don't think my problem lies there. I
simply can't turn logins with /etc/passwd off and still use OPIE.
Initially I thought it would be as simple as making sure that my
sshd_config file was configured to use PAM and then commenting out the
pam_unix line in /etc/pam.d/sshd:
# auth
auth required pam_nologin.so no_warn
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
#auth required pam_unix.so no_warn
try_first_pass
However after playing around for a bit I realized that this opened up
the system to logins without any authentication if the user didn't have
OPIE configured at all (and the docs warn about ending a chain without a
"required" policy line. So I tried replacing pam_unix with:
auth required pam_deny.so no_warn
However for some reason even if OPIE is available it still fails to
authenticate using PAM so I guess I misunderstood how sufficient works
(at least with respect to pam_deny in a chain) since I would expect it
to break out of the chain if pam_opie passes which it should if the
account has an entry in /etc/opiekeys. I've included my sshd_config
below as well.
Port 22
Protocol 2
AllowGroups ssh-users
DenyGroups nologin
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
UsePAM yes
ChallengeResponseAuthentication yes
PubkeyAuthentication yes
StrictModes yes
UseDNS yes
UsePrivilegeSeparation yes
X11Forwarding no
TCPKeepAlive yes
MaxAuthTries 3
MaxStartups 8:50:16
Compression delayed
Banner /etc/ssh/sshd-login-banner
Subsystem sftp /usr/libexec/sftp-server
I've read the docs here:
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html
I thought I understood them but, I'm sure that there's just something
simple that I'm missing and I can't find any examples of somebody else
who has used this exact configuration anywhere. This is my first venture
in the land of PAM so any help would be greatly appreciated!
cheers,
Gabe
--
Gabriel O'Brien
email: go at quay.net
More information about the freebsd-questions
mailing list