[plug] security qn: auth from Windows clients to Linux server

Russell Steicke r.steicke at bom.gov.au
Mon Aug 1 00:47:31 WST 2005


On Sun, Jul 31, 2005 at 09:35:31PM +0800, dsbrown at cyllene.uwa.edu.au wrote:
> OPIE looks promising but if I ssh into a machine as a user with wheel
> membership and sudo, would I need to re-use the password or, more likely,
> use a fresh one at each prompt?   I suspect the latter which may mean
> needing a fairly long preprinted password list :-)   I'll have to read up
> more on it though.   I **NEVER** log in as root and barr root logins for
> ssh in any case.

No, you can edit /etc/pam.d/ssh so that ssh uses the one-time
passwords, and does not accept your unix password.  Nothing else will
use your OTPs unless you edit its pam.d file, or edit
/etc/pam.d/common-auth.

So you can use the one time passwords for ssh only, and the unix
password for everything else.  This won't stop keystroke loggers from
capturing your unix password, but will stop someone else using that
password to get to your machine via ssh.

PS.  I just tried this with the debian libpam-opie, opie-client and
opie-server packages and it works well.




-- 
Russell Steicke

-- Fortune says:
<_Anarchy_> Argh.. who's handing out the paper bags  8)



More information about the plug mailing list