From owner-freebsd-security@FreeBSD.ORG Tue Aug 16 04:32:10 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C95316A41F for ; Tue, 16 Aug 2005 04:32:10 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id F1CB143D53 for ; Tue, 16 Aug 2005 04:32:09 +0000 (GMT) (envelope-from freebsd-security@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id j7G4Vrco031985; Tue, 16 Aug 2005 14:31:53 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id j7G4W0Lk019832; Tue, 16 Aug 2005 14:32:01 +1000 (EST) (envelope-from freebsd-security@auscert.org.au) Message-Id: <200508160432.j7G4W0Lk019832@app.auscert.org.au> To: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) from: freebsd-security@auscert.org.au In-Reply-To: Message from des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) of "Mon, 15 Aug 2005 14:14:12 +0200." <86wtmnqtwr.fsf@xps.des.no> Date: Tue, 16 Aug 2005 14:32:00 +1000 Cc: freebsd-security@freebsd.org, freebsd-security@auscert.org.au Subject: Re: recompile sshd with OPIE? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Aug 2005 04:32:10 -0000 > freebsd-security@auscert.org.au writes: > > Can this be achieved within the regular system build process, or must I > > roll my own? > > You need to change src/crypto/openssh/config.h so it says > > /* #undef PAM */ > #define SKEY 1 > #define OPIE 1 > > instead of > > #define PAM 1 > /* #undef SKEY */ > /* #undef OPIE */ > > then rebuild world. This may sound like a really silly question, but how do I enable it? After performing the changes above, I installed with: cd /usr/src/secure/usr.sbin/sshd make cleandir; make cleandir make obj && make depend && make all install There's no man[5] sshd_config entry, but through trial and error I identified an option that doesn't cause an error: SkeyAuthentication yes I couldn't get any permutation of OpieAuthentication/UseOPIE/... to work. However, attempts to connect to the running server with SkeyAuthentication enabled still gives: Permission denied (publickey). This is after creating an opiekey for the user (works for sudo, so is functional), and with these options enabled (+ defaults where not noted) in sshd_config: Port 22 Protocol 2 ListenAddress 10.0.0.1 LogLevel VERBOSE PermitRootLogin no StrictModes yes HostbasedAuthentication no IgnoreUserKnownHosts yes IgnoreRhosts yes ChallengeResponseAuthentication no SkeyAuthentication yes AllowTcpForwarding no X11Forwarding yes Banner /etc/issue Can you point me in the right direction please? thanks, -- Joel Hatton -- Security Analyst | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au