PAM/SSH/OPIE configuration without /etc/passwd

Ian A. Tegebo yontege at
Thu Apr 20 22:05:25 UTC 2006

On Thu, Apr 20, 2006 at 09:01:52AM -0400, Gabriel O'Brien wrote:
> My goal is to have SSH allow authorized_keys and OPIE authentication but 
> deny all other forms of authentication.  Obviously I want authentication 
> to be denied if the user has neither configured as well.
> # auth
> auth            required          no_warn
> auth            sufficient             no_warn no_fake_prompts
> auth            requisite       no_warn allow_local
I'm looking at the last line there and the pam_opieaccess manpage:

     The pam_opieaccess module is used in conjunction with the pam_opie(8) PAM
     module to ascertain that authentication can proceed by other means (such
     as the pam_unix(8) module) even if OPIE authentication failed.

It looks like that line might be allowing logins to

My thought would be that you should try this:
|# auth
|auth  required          no_warn
|auth  sufficient             no_warn no_fake_prompts
|auth  required	       try_first_pass
|auth  required	       no_warn

Ian Tegebo

More information about the freebsd-questions mailing list