PAM/SSH/OPIE configuration without /etc/passwd

[Gabriel O'Brien]

Hi there,

I'm currently playing around with OPIE/PAM on 6.0-RELEASE-p7 and have 
managed to stump myself with what I thought would be a relatively simple 
setup...


My goal is to have SSH allow authorized_keys and OPIE authentication but 
deny all other forms of authentication.  Obviously I want authentication 
to be denied if the user has neither configured as well.


For the record OPIE is working for authenticating su, and I can use it 
as an option for sshd logins so I don't think my problem lies there.  I 
simply can't turn logins with /etc/passwd off and still use OPIE.


Initially I thought it would be as simple as making sure that my 
sshd_config file was configured to use PAM and then commenting out the 
pam_unix line in /etc/pam.d/sshd:


# auth
authrequiredpam_nologin.so  no_warn
authsufficient  pam_opie.so no_warn 
no_fake_prompts

authrequisite   pam_opieaccess.so   no_warn allow_local
#auth   sufficient  pam_krb5.so no_warn 
try_first_pass
#auth   sufficient  pam_ssh.so  no_warn 
try_first_pass
#auth   requiredpam_unix.so no_warn 
try_first_pass


However after playing around for a bit I realized that this opened up 
the system to logins without any authentication if the user didn't have 
OPIE configured at all (and the docs warn about ending a chain without a 
required policy line.  So I tried replacing pam_unix with:


authrequiredpam_deny.so no_warn

However for some reason even if OPIE is available it still fails to 
authenticate using PAM so I guess I misunderstood how sufficient works 
(at least with respect to pam_deny in a chain) since I would expect it 
to break out of the chain if pam_opie passes which it should if the 
account has an entry in /etc/opiekeys.  I've included my sshd_config 
below as well.


Port 22
Protocol 2
AllowGroups ssh-users
DenyGroups nologin
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
UsePAM yes
ChallengeResponseAuthentication yes
PubkeyAuthentication yes
StrictModes yes
UseDNS yes
UsePrivilegeSeparation yes
X11Forwarding no
TCPKeepAlive yes
MaxAuthTries 3
MaxStartups 8:50:16
Compression delayed
Banner /etc/ssh/sshd-login-banner
Subsystem   sftp/usr/libexec/sftp-server

I've read the docs here: 
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/pam/index.html


I thought I understood them but, I'm sure that there's just something 
simple that I'm missing and I can't find any examples of somebody else 
who has used this exact configuration anywhere. This is my first venture 
in the land of PAM so any help would be greatly appreciated!


cheers,
Gabe

--
Gabriel O'Brien
email: [EMAIL PROTECTED]

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: PAM/SSH/OPIE configuration without /etc/passwd

[Ian A. Tegebo]

On Thu, Apr 20, 2006 at 09:01:52AM -0400, Gabriel O'Brien wrote:
 My goal is to have SSH allow authorized_keys and OPIE authentication but 
 deny all other forms of authentication.  Obviously I want authentication 
 to be denied if the user has neither configured as well.
 
 # auth
 authrequiredpam_nologin.so  no_warn
 authsufficient  pam_opie.so no_warn 
 no_fake_prompts
 authrequisite   pam_opieaccess.so   no_warn allow_local
I'm looking at the last line there and the pam_opieaccess manpage:

---
 The pam_opieaccess module is used in conjunction with the pam_opie(8) PAM
 module to ascertain that authentication can proceed by other means (such
 as the pam_unix(8) module) even if OPIE authentication failed.
---

It looks like that pam_opieaccess.so line might be allowing logins to
continue.

My thought would be that you should try this:
|# auth
|auth  requiredpam_nologin.so  no_warn
|auth  sufficient  pam_opie.so no_warn no_fake_prompts
|auth  requiredpam_ssh.so  try_first_pass
|auth  requiredpam_deny.so no_warn

--
Ian Tegebo
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]