Secure Remote Access.

[Yarrick]

same problem as tdb. ssh -v localhost gives:

Code: Select all

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/yarrick/.ssh/identity
debug1: Offering public key: /home/yarrick/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: /home/yarrick/.ssh/id_dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password: 
otp-md5 97 bout08946
S/Key Password: 
debug1: Authentications that can continue: publickey,keyboard-interactive
Password: 
otp-md5 97 bout08946
S/Key Password: 

that first password request i from pam i believe.. this is the same password prompt as when logging in on a real console

edit: the normal ssh passwd prompt is "user@host's password:"

[taviso]

same problem as tdb.

I'll be honest, I don't remember how I configured sshd to change the order of authentication methods, so I'll post my sshd_config and maybe you can help me work it out!

Code: Select all

Port 22
Protocol 2
ListenAddress 0.0.0.0
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding no
PrintMotd yes
PrintLastLog yes
KeepAlive yes
UsePrivilegeSeparation yes
PermitUserEnvironment yes
Compression yes
UseDNS yes
UsePAM no
MaxStartups 5
Subsystem       sftp    /usr/lib/misc/sftp-server

and my USE flags:

Code: Select all

$ etcat -u openssh
[ Colour Code : set unset ]
[ Legend   : (U) Col 1 - Current USE flags        ]
[          : (I) Col 2 - Installed With USE flags ]

 U I [ Found these USE variables in : net-misc/openssh-3.7.1_p2-r2 ]
 - - ipv6     : Adds support for IP version 6
 - - static   : !!do not set this during bootstrap!! Causes things to be statically linked instead of dynamically
 - - pam      : Adds support PAM (Pluggable Authentication Modules)
 - - tcpd     : Adds support for TCP wrappers
 - - kerberos : Adds kerberos support
 + + skey     : Enable S/Key (Single use password) authentication support
 - - selinux  : !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
 - - X509     : Adds support for X.509 certificate authentication
 - - chroot   : Enable chrooting support.

Hopefully we can figure this out

[Yarrick]

pam was the problem. remerging openssh without pam gave me the skey prompt directly.

[hashier]

Hey,

if I put the following in the /etc/ssh/ssh_config, than would normal login still be available, also if compiled _without_ pam.

PreferredAuthentications "publickey,password,keyboard-interactive"


With this line:

hashier@blackbird hashier $ ssh localhost
hashier@localhost's password:


Without:

hashier@blackbird hashier $ ssh localhost
otp-md4 94 blac19836
S/Key Password:

[gmtl3]

I'm having the same problem as some of the other poster's. It's asking for my password, before/instead of my skey response. I'm assuming this is a PAM issue, not an ssh issue. I'm now trying to figure out how to tell PAM to only offer skey, not password, for ssh. I have an /etc/pam.d/sshd file, so I'm assuming it's just a matter of tweaking the settings for that file.

Any help would be appreciated.

Thanks,

[beastmaster]

an excellent thread, definitely need a bump-up

I'm gonna try it soon

[nevynxxx]

Did you audit and compile that ssh client at work yourself? Are you sure the guys from IT havnt installed some key logging software, or tampered with your keyboard? You cant be certain someone isnt harvesting passwords before ssh even has a chance to do its stuff.

1) I am the IT staff at work
2) yes I did "audit" the ssh client, its called putty and has the correct md5 sum.
3) I keep my copy of putty on a usb key, which I keep about my person. Along with my usb key and a few other useful utils.
4) it uses public key authentication, not password, nope. Thats entered into another prog, the auth agent, which yes I did also verify.


@ the person who doesn't trust his admins because they have VNC installed on winxp machines.

1) how large an area do they admin? Remote control is *very* useful if you cover a large area.
2) VNC is the best remote control system there is, and its freeware. A good combination in anyones book. If they have a few unix workstations around (their own boxes?) then it even better as they can do their job without having to be in windows.

Also, if you double click the VNC icon, you should be able to look at (please don't change:) ) the settings, like disbale keyboard and stuff, the dodgy one is if they disable their keyboard and leave yours active, that means they are looking, if they disable yours, that means they are helping.

[gmtl3]

Still digging on this. I noticed that FreeBSD has an /etc/skey.access file that enables you to control whether or not password is a valid option. Of course, the code that gentoo uses is an OpenBSD port and I don't see that feature.

It's driving me nuts that I can't turn on skey without also turning on password, and it's even more infuriating that it asks me for a password first. Ughh!

[ulm]

This topic is ages old, however I believe it is still useful if I reply to this.

The problem is that PAM is not properly switched off by the "UsePAM no" option in sshd_config. I have reported this as bug 65343.

However, as a workaround, the following works for me:
1. Unset the "pam" use flag for openssh (in /etc/portage/package.use).
2. In sshd_config, set "PasswordAuthentication no" and "ChallengeResponseAuthentication yes". (The "UsePAM" option should be commented out.)

[gmtl3]

Thanks for the reply. I had not found a fix for this yet. While your note makes sense as a work around, I was hoping to find a solution that used PAM. I am baffled as to how the ssh PAM config allows Skey to be used through PAM at all, not to mention why it is a lower choice than password.

Oh well, thanks again.

[jago25_98]

Got skey prompting on ssh login but,

skey doesn't seem to be accepting my password. It seems to be asking for an earlier numbered password in the list:

Code: Select all

betty.net[~] $ skeyinit  -n 4  
Password: 
[Updating work]
Old key: [md5] bett30526
Reminder - Only use this method if you are directly connected
or have an encrypted channel.  If you are using telnet
or rlogin, exit with no password and use skeyinit -s.

Enter secret password: 
Again secret password: 

ID work skey is otp-md5 4 bett30527
Next login password: FRAU WEAR GAIT OLAF GONE DINE

betty.net[~] $ skey 4 bett30527
Reminder - Do not use this program while logged in via telnet or rlogin.
Enter secret password: 
FRAU WEAR GAIT OLAF GONE DINE
betty.net[~] $ ssh 127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is e6:c3:6a:04:f0:78:03:a9:51:2b:9c:9c:f8:af:ee:3c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.
otp-md5 3 bett30527
S/Key Password: 
otp-md5 3 bett30527
S/Key Password: 
otp-md5 3 bett30527
S/Key Password: 
Permission denied (publickey,keyboard-interactive).
betty.net[~] $ 

I've tried both typing and pasting the password. I've also tried removing the spaces too.

Any ideas?

[justanothergentoofanatic]

betty.net[~] $ skey 4 bett30527
FRAU WEAR GAIT OLAF GONE DINE

Here you are generating OTP #4...

S/Key Password:
otp-md5 3 bett30527

But it is asking for OTP #3. So, you need to do:

skey 3 bett30527

to get the correct password.

It seems to be asking for an earlier numbered password in the list:

It is asking for a later numbered password in the list (it counts down to 0). I don't understand why, but skey always seems to always throw away the first OTP it generates. This might be a bug.

-Mike

[justanothergentoofanatic]

Thanks for the reply. I had not found a fix for this yet. While your note makes sense as a work around, I was hoping to find a solution that used PAM.

Basically, PAM support in sshd is and has always been buggy.

I am baffled as to how the ssh PAM config allows Skey to be used through PAM at all, not to mention why it is a lower choice than password.

A wild (and probably incorrect) guess: when you don't enter a password, PAM returns authinfo_unavail. Sshd interprets this as a request for more login information, so it switches to its next available authentication system (skey) and prompts for a password.

-Mike