From owner-freebsd-security  Fri Nov 30 22: 3:58 2001
Delivered-To: freebsd-security@freebsd.org
Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178])
	by hub.freebsd.org (Postfix) with ESMTP id 4B64A37B419
	for <freebsd-security@FreeBSD.ORG>; Fri, 30 Nov 2001 22:03:55 -0800 (PST)
Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1])
	by horsey.gshapiro.net (8.12.2.Beta1/8.12.2.Beta1) with ESMTP id fB163rni002369
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Fri, 30 Nov 2001 22:03:53 -0800 (PST)
Received: (from gshapiro@localhost)
	by horsey.gshapiro.net (8.12.2.Beta1/8.12.2.Beta1/Submit) id fB163qPl002366;
	Fri, 30 Nov 2001 22:03:52 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15368.29384.520956.692867@horsey.gshapiro.net>
Date: Fri, 30 Nov 2001 22:03:52 -0800
From: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>
To: "H. Wade Minter" <minter@lunenburg.org>
Cc: "f.johan.beisser" <jan@caustic.org>,
	<freebsd-security@FreeBSD.ORG>
Subject: Re: OPIE and ssh
In-Reply-To: <20011130220948.T36907-100000@bunning.skiltech.com>
References: <15367.51556.94034.892901@horsey.gshapiro.net>
	<20011130220948.T36907-100000@bunning.skiltech.com>
X-Mailer: VM 6.96 under 21.5  (beta3) "asparagus" XEmacs Lucid
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


minter> Is there anything else that needs to be done?  I've been interested in
minter> playing around with S/Key or OPIE, but when I tried those steps, I still
minter> get a normal password prompt when I SSH in:

minter> bash-2.04$ slogin kenbridge
minter> minter@kenbridge's password:

No, that's all I recall doing.  Just to clarify my steps:

These are done on the server (where you are ssh'ing to)

>> cd /etc
>> rm skeykeys
>> ln -s opiekeys skeykeys
>> keyinit gshapiro

These are done on the client (where you are ssh'ing from):

>> My ~/.ssh/config contains (among other things):
>> 
>> # Defaults
>> Host *
>> StrictHostKeyChecking	yes

Also, newer versions of the ssh client let's you specify the order of the
mechanisms:

     PreferredAuthentications
             Specifies the order in which the client should try protocol 2
             authentication methods. This allows a client to prefer one method
             (e.g.  keyboard-interactive) over another method (e.g.  password)
             The default for this option is: ``publickey, password,
             keyboard-interactive''

keyboard-interactive is the S/Key method.  You may want to change your
order to publickey,keyboard-interactive,password.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message