View previous topic :: View next topic |
Author |
Message |
sinops n00b
Joined: 05 Jan 2004 Posts: 16
|
Posted: Sat Jul 01, 2006 7:51 am Post subject: opie, libpam-opie and openssh access howto |
|
|
Introduction:
This howto assumes you are using ssh access with password protected keys, but need to access a machine from an untrusted computer from time to time. You can disable ssh keys to make this setup very secure, but since my keys are stored on my laptop which has everything on it encrypted, I'm willing to take the risk. I built opie using --enable-insecure-override so that I could do the setup while ssh'ed into my server. If you are at the console and can do everything at the console, you may not need this. I ssh into everything and don't have console access most of the time.
Grab:
opie
http://packages.debian.org/stable/admin/opie-client
http://ftp.debian.org/debian/pool/main/o/opie/opie_2.32.orig.tar.gz
http://ftp.debian.org/debian/pool/main/o/opie/opie_2.32-10.diff.gz
libpam-opie
http://packages.debian.org/unstable/libs/libpam-opie
http://ftp.debian.org/debian/pool/main/libp/libpam-opie/libpam-opie_0.21.orig.tar.gz
Go here using your java friendly phone and download the jfreesafe.jad file
http://freesafe.sourceforge.net/
http://freesafe.sourceforge.net/jfreesafe.jad
Code: | tar xzvf libpam-opie_0.21.orig.tar.gz
cd libpam-opie-0.21
make && make install |
(please note that the diff file actually allows you to build opie, without it, this opie version does not compile)
Code: | tar xzvf opie_2.32.orig.tar.gz
gunzip opie_2.32-10.diff.gz
patch -p0 < opie_2.32-10.diff
cd opie-2.32
./configure --enable-insecure-override
make && make install |
Edit /etc/ssh/sshd_config and make sure these are set:
Code: | ChallengeResponseAuthentication yes
UsePAM yes
|
Add to the top of /etc/pam.d/sshd
Code: | auth sufficient pam_opie.so
auth required pam_unix.so |
As root add a user to the authentication mechanism:
Code: | cd /usr/local/bin
./opiepasswd username |
The program will spit out a command line to run otp-md5 sequence_number seed. Run the produced command with -f if you aren't on the console supplying whatever password you want. The result will be saved to /etc/opiekeys
ssh in from a computer that does not have an ssh key on the target machine and you should see:
otp-md5 sequence_number seed ext
Response:
Enter your password, sequence_number and seed into the java app (exclude "ext"). You will get an all uppercase multiworded response. Enter that into the ssh prompt. You should now be logged into your machine.
Thanks to erike for the guidance to get this working. (Debian has everything, but I like Gentoo)
Additional information:
http://www.ubuntuforums.org/showthread.php?t=197350
Last edited by sinops on Mon Jul 03, 2006 7:52 pm; edited 1 time in total |
|
Back to top |
|
|
chwilk n00b
Joined: 02 Mar 2005 Posts: 8 Location: Houston, TX
|
Posted: Sat Jul 01, 2006 8:16 pm Post subject: amd64 workaround |
|
|
In the compilation of libpam-opie, I got some 64 bit errors in the compilation, which suggested to recompile with -fPIC.
Checking the root level Makefile revealed that -fPIC was already in the CFLAGS, but the one in libpam-opie-0.21/libopie did not include -fPIC.
Adding -fPIC to the CFLAGS in libpam-opie-0.21/libopie/Makefile, then running Code: | make clean; make install | fixes the problem. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|