PAM/SSH/OPIE configuration without /etc/passwd
Ian A. Tegebo
yontege at rescomp.berkeley.edu
Thu Apr 20 22:05:25 UTC 2006
On Thu, Apr 20, 2006 at 09:01:52AM -0400, Gabriel O'Brien wrote:
> My goal is to have SSH allow authorized_keys and OPIE authentication but
> deny all other forms of authentication. Obviously I want authentication
> to be denied if the user has neither configured as well.
>
> # auth
> auth required pam_nologin.so no_warn
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
I'm looking at the last line there and the pam_opieaccess manpage:
---
The pam_opieaccess module is used in conjunction with the pam_opie(8) PAM
module to ascertain that authentication can proceed by other means (such
as the pam_unix(8) module) even if OPIE authentication failed.
---
It looks like that pam_opieaccess.so line might be allowing logins to
continue.
My thought would be that you should try this:
|# auth
|auth required pam_nologin.so no_warn
|auth sufficient pam_opie.so no_warn no_fake_prompts
|auth required pam_ssh.so try_first_pass
|auth required pam_deny.so no_warn
--
Ian Tegebo
More information about the freebsd-questions
mailing list