From owner-freebsd-questions@FreeBSD.ORG Sun Oct 24 15:18:54 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3DA816A4CE for ; Sun, 24 Oct 2004 15:18:54 +0000 (GMT) Received: from brightstar.bomgardner.net (brightstar.bomgardner.net [209.240.79.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2322243D1F for ; Sun, 24 Oct 2004 15:18:54 +0000 (GMT) (envelope-from listmail@Bomgardner.net) Received: from [192.168.0.2] (morningstar [192.168.0.2]) i9OFIrGj011009 for ; Sun, 24 Oct 2004 10:18:54 -0500 (CDT) (envelope-from listmail@Bomgardner.net) Message-ID: <417BC7CF.3040206@Bomgardner.net> Date: Sun, 24 Oct 2004 10:18:39 -0500 From: listmail User-Agent: Mozilla Thunderbird 0.6 (Windows/20040502) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "freebsd-questions@FreeBSD. ORG" Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: sshd STILL not using one time passwords. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Oct 2004 15:18:54 -0000 Thanks to all who have patiently answered my previous questions. I've got another one. I'm using 5.2.1. My logs show attempts to break into my system via ssh, telnet, and ftp (I use strong passwords, thankfully, and no common user accounts like admin, guest, and so on) and so I'm trying to tighten security. I have run into a problem, however - I've set things up so only two accounts can connect via ssh (telnet disabled outside the local net) and I've started using opie. However, ssh will not recognize and use opie. Local telnet does, as does ftpd, but not sshd. The list archives has a thread that deals with the reverse problem (i.e. sshd prompting for challenge response and not using passwords), but that hasn't been any help here. I've included sshd_config and /etc/pam.d/sshd. I've left out all commented out lines for brevity. From /etc/sshd_config: ----------------------------------------- AuthorizedKeysFile .ssh/authorized_keys (Not sure how this got uncommented) AllowGroups grp1 PasswordAuthentication no ChallengeResponseAuthentication yes Subsystem sftp /usr/libexec/sftp-server ...... All other items commented out ========================================= From /etc/pam.d/sshd: -------------------------------------------------- # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local # account account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass #password required pam_unix.so no_warn try_first_pass ======================================= If I read the handbook on SSH and the paper on PAM correctly, this should be working. Anyone have any idea why it might not be? What have I managed to screw up this time? thanx Gene