[plug] security qn: auth from Windows clients to Linux server

Denis Brown dsbrown at cyllene.uwa.edu.au
Mon Aug 1 09:59:29 WST 2005


At 12:47 AM 1/08/2005, Russell Steicke wrote:
>On Sun, Jul 31, 2005 at 09:35:31PM +0800, dsbrown at cyllene.uwa.edu.au wrote:
> > OPIE looks promising but if I ssh into a machine as a user with wheel
> > membership and sudo, would I need to re-use the password or, more likely,
> > use a fresh one at each prompt?   I suspect the latter which may mean
> > needing a fairly long preprinted password list :-)   I'll have to read up
> > more on it though.   I **NEVER** log in as root and barr root logins for
> > ssh in any case.
>
>No, you can edit /etc/pam.d/ssh so that ssh uses the one-time
>passwords, and does not accept your unix password.  Nothing else will
>use your OTPs unless you edit its pam.d file, or edit
>/etc/pam.d/common-auth.
>
>So you can use the one time passwords for ssh only, and the unix
>password for everything else.  This won't stop keystroke loggers from
>capturing your unix password, but will stop someone else using that
>password to get to your machine via ssh.
>
>PS.  I just tried this with the debian libpam-opie, opie-client and
>opie-server packages and it works well.

Many thanks, Russell

Ahhh... the joys of playing in a sensitive-data sandpit :-)   I'll hunt up 
the Gentoo equivalents.

Denis






More information about the plug mailing list