Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 16 Aug 2005 14:32:00 +1000
From:      freebsd-security@auscert.org.au
To:        des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=)
Cc:        freebsd-security@freebsd.org, freebsd-security@auscert.org.au
Subject:   Re: recompile sshd with OPIE? 
Message-ID:  <200508160432.j7G4W0Lk019832@app.auscert.org.au>
In-Reply-To: Message from des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=)  of "Mon, 15 Aug 2005 14:14:12 %2B0200." <86wtmnqtwr.fsf@xps.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
> freebsd-security@auscert.org.au writes:
> > Can this be achieved within the regular system build process, or must I
> > roll my own?
> 
> You need to change src/crypto/openssh/config.h so it says
> 
> /* #undef PAM */
> #define SKEY 1
> #define OPIE 1
> 
> instead of
> 
> #define PAM 1
> /* #undef SKEY */
> /* #undef OPIE */
> 
> then rebuild world.

This may sound like a really silly question, but how do I enable it? 

After performing the changes above, I installed with:

cd /usr/src/secure/usr.sbin/sshd
make cleandir; make cleandir
make obj && make depend && make all install

There's no man[5] sshd_config entry, but through trial and error I
identified an option that doesn't cause an error: SkeyAuthentication yes

I couldn't get any permutation of OpieAuthentication/UseOPIE/... to work.

However, attempts to connect to the running server with SkeyAuthentication
enabled still gives:

	Permission denied (publickey).

This is after creating an opiekey for the user (works for sudo, so is
functional), and with these options enabled (+ defaults where not noted)
in sshd_config:

Port 22
Protocol 2
ListenAddress 10.0.0.1
LogLevel VERBOSE
PermitRootLogin no
StrictModes yes
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
ChallengeResponseAuthentication no
SkeyAuthentication yes
AllowTcpForwarding no
X11Forwarding yes
Banner /etc/issue

Can you point me in the right direction please?


thanks,
-- Joel Hatton --
Security Analyst                    | Hotline: +61 7 3365 4417
AusCERT - Australia's national CERT | Fax:     +61 7 3365 7031
The University of Queensland        | WWW:     www.auscert.org.au
Qld 4072 Australia                  | Email:   auscert@auscert.org.au

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508160432.j7G4W0Lk019832>