OK, I got the otpw-snapshot from 2004-03-28 to work for ssh. See:
http://www.cl.cam.ac.uk/~mgk25/otpw.html
http://www.cl.cam.ac.uk/~mgk25/download/
1. On my FC4_X86_64, I had to compile with an extra cflag: -fPIC
( the easiest is probably just change the Makefile to
CFLAGS=-O -ggdb -W -Wall -fPIC
even though a couple of objects do not need -fPIC)
The make runs to completion although there are some warnings.
2. I figured out how to distribute the files, by looking at the PLD
rpms, as previously posted. I actually built a shell script just to
practice with the install utility -- see attached (if you use it, be
sure to change /lib64 to /lib if appropriate)
3. man otpw-gen says to run otpw-gen | lpr, but I ran
otpw-gen >otpw.out
and printed it separately, since I'm just experimenting. The generator
program has several neat options worth checking out, BTW.
4. Per hints in the otpw.html, I edited /etc/pam.d/ssh and
inserted (I put it at beginning):
auth sufficient pam_otpw.so
and appended to the end:
session optional pam_otpw.so debug
Actually the html says to use "auth required .." -- I haven't gotten
around to trying that -- it didn't seem right if I wanted to be able to
use _either_ method (per Tracy's original scenario).
the session pam component doesn't seem to work
"..the session component prints after each successful
login a reminder on how many unused passwords you have left"
seems like a useful enough feature. I might try some more debugging to
see if I can't figure out what's wrong.
5. Also per the otpw.html, edit /etc/sshd_config:
ensure the following settings
UsePAM yes
UsePrivilegeSeparation no
PAMAuthenticationViaKbdInt yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
Notes:
- I think UsePAM may not actually be required
- UsePrivilegeSeparation no seems to be giving up something useful, no?
I wonder if it is really required -- maybe I'll experiment.
- I added PasswordAuthentication no because of the following from man
sshd_config:
"Because PAM challenge-response authentication usually serves an
equivalent role to password authentication, you should disable
either PasswordAuthentication or ChallengeResponseAuthentication"
- the otpw.html says
use "ssh -o PreferredAuthentications=keyboard-interactive"
but I think my placement of "auth sufficient pam_otpw.so" makes that
commandline option unecessary. But, with my pam config, you have to
hit enter to skip past the otpw challenge if you wis to use the
standard password. If you do (skip the otpw), it does not consume
one. The prompt works as advertised, asking for a specific pw. Be
sure to read the docs to understand the prompt if/when it asks for 3
pws. Also don't forget that you have to enter the "prefix" first.
..jim
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
