[plug] security qn: auth from Windows clients to Linux server
Denis Brown
dsbrown at cyllene.uwa.edu.au
Mon Aug 1 09:59:29 WST 2005
At 12:47 AM 1/08/2005, Russell Steicke wrote:
>On Sun, Jul 31, 2005 at 09:35:31PM +0800, dsbrown at cyllene.uwa.edu.au wrote:
> > OPIE looks promising but if I ssh into a machine as a user with wheel
> > membership and sudo, would I need to re-use the password or, more likely,
> > use a fresh one at each prompt? I suspect the latter which may mean
> > needing a fairly long preprinted password list :-) I'll have to read up
> > more on it though. I **NEVER** log in as root and barr root logins for
> > ssh in any case.
>
>No, you can edit /etc/pam.d/ssh so that ssh uses the one-time
>passwords, and does not accept your unix password. Nothing else will
>use your OTPs unless you edit its pam.d file, or edit
>/etc/pam.d/common-auth.
>
>So you can use the one time passwords for ssh only, and the unix
>password for everything else. This won't stop keystroke loggers from
>capturing your unix password, but will stop someone else using that
>password to get to your machine via ssh.
>
>PS. I just tried this with the debian libpam-opie, opie-client and
>opie-server packages and it works well.
Many thanks, Russell
Ahhh... the joys of playing in a sensitive-data sandpit :-) I'll hunt up
the Gentoo equivalents.
Denis
More information about the plug
mailing list