# Secure Remote Access.

## taviso

Okay, How often do you ssh into your machines from work or school? 

What about using ssh from public internet access points at libraries or cafés?

Most people realise that using telnet isnt a great idea when trying to connect two untrusted machines over an insecure network, so they use ssh to protect the communication channel between the two hosts, but what about the communication channel between user and host?

Did you audit and compile that ssh client at work yourself? Are you sure the guys from IT havnt installed some key logging software, or tampered with your keyboard? You cant be certain someone isnt harvesting passwords before ssh even has a chance to do its stuff.

There is a solution to this, OTP (one time password) authentication. The idea with OTP authentication is this, when you are using a trusted communication channel (sitting at your own machine, or logged in over ssh from a secure system) you generate yourself a list of single use passwords, for use when you are using an untrusted machine. Once you have used an OTP, it is immediately void, it can never be used again, if someone were to steal it, it would be completely useless.

If you were to login using someones trojaned ssh client, OTP can help minimise the damage, although someone may still be able to see your session (probably not that much use), they will not be able to compromise your account.

As far as I am aware, Gentoo is the only Linux distribution that officially supports S/Key authentication, which is utilised by some of the BSDs. Here is a brief introduction to using S/Key OTP authentication on Gentoo:

First, you must install openssh with S/Key support by setting the skey USE flag, (please use the version from ~x86 if possible, I'd like to get some updates marked stable and would appreciate any testing!)

```
# emerge -pv openssh

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-misc/openssh-3.7.1_p2-r1  -ipv6 -static -pam -tcpd -kerberos +skey -selinux -X509
```

Now add your user to the S/Key system

```
$ skeyinit   

Password:

[Adding taviso]

Reminder - Only use this method if you are directly connected

or have an encrypted channel.  If you are using telnet

or rlogin, exit with no password and use skeyinit -s.

Enter secret password: 

Again secret password: 

ID taviso skey is otp-md4 99 inso77154

Next login password: RAP MEMO DOOR MAYO NILE TO
```

skeyinit displays your first S/Key password, but if your going away for a few days, you might need a few more passwords to print out and take with you (remember, you need one per login).

This is how to generate 5 passwords, you can get the challenge to generate your S/Keys using the skeyinfo program.

```
$ skeyinfo

Your next otp-md4 98 inso77154

$ skey -n5 98 inso77154

Reminder - Do not use this program while logged in via telnet or rlogin.

Enter secret password: 

 94: SEAR BARE IFFY OUTS LACE OHIO

 95: GATE SOY TOW YES BULB JIVE   

 96: ANY JURY ERIC HARK LINE CAME 

 97: REAR HEWN SHIN YARN DINT GREW

 98: BRAD PEA AMRA EDNA NAIL LION
```

Logging in using S/Key is simple, heres an example session

```
$ ssh insomniac

otp-md4 98 inso77154

S/Key Password: 

Last login: Wed Nov  5 21:07:06 2003 from amnesiac
```

The challenge is asking for password number 98, no other password will work, As soon as I've entered password 98 and it has been accepted, it will never be requested again and will no longer be useful.

S/Key is a cool way of using ssh from insecure or untrusted machines, if thats something you do regularly, give it a try  :Smile: 

You can let us know about any problems via https://bugs.gentoo.org/

Most ssh clients, including putty, openssh and ssh.com support S/Key passwords.

----------

## dma

I take it that I should use the ~x86 version of app-admin/skey (skey-1.1.5-r1) as well?  The changelog makes it look like a good idea...

This will be helpful... I don't trust our lab admins at all (they run VNC servers on our WinXP boxes for instance...).

EDIT: Not working at all here.  sshd is linked to libskey, but I can't get it to do anything skey-related.

I'd probably have to see the entries in /etc/ssh/sshd_config and ~/.ssh/config.

----------

## taviso

 *dma wrote:*   

> EDIT: Not working at all here.  sshd is linked to libskey, but I can't get it to do anything skey-related.
> 
> I'd probably have to see the entries in /etc/ssh/sshd_config and ~/.ssh/config.

 

Do you have the pam USE flag set?

does it work if you add 

```
UsePAM yes
```

to your /etc/ssh/sshd_config?

----------

## bryon

this is probly a stupid question but I looked through /usr/portage/profiles/use.desc and did not see a skey use flag.

What if I am connecting from a trusted machine can i use my regular passowrd or am I only allowed to use a skey one?

----------

## taviso

 *bryon wrote:*   

> this is probly a stupid question but I looked through /usr/portage/profiles/use.desc and did not see a skey use flag.

 

It's a local USE flag, take a look in /usr/portage/profiles/use.local.desc

```
$ grep skey /usr/portage/profiles/use.local.desc 

net-misc/openssh:skey - Enable S/Key (Single use password)authentication support
```

 *bryon wrote:*   

> What if I am connecting from a trusted machine can i use my regular passowrd or am I only allowed to use a skey one?

 

Yep, you can set up as many authentication mechanisms as you like, for example the default ssh behaviour is to cycle through hostbased,publickey,keyboard-interactive,password until one works, you can configure this to use a different order, not to use some, or to use them all..take a look at the PreferredAuthentications option in the ssh_config man page. 

btw, S/Key passwords counts as a keyboard-interactive (challenge response) authentication system.

----------

## Senso

 *taviso wrote:*   

>  *dma wrote:*   EDIT: Not working at all here.  sshd is linked to libskey, but I can't get it to do anything skey-related.
> 
> I'd probably have to see the entries in /etc/ssh/sshd_config and ~/.ssh/config. 
> 
> Do you have the pam USE flag set?
> ...

 

I've got UsePAM yes, everything works nicely but I can't seem to figure how to make skey work with sshd.

----------

## bryon

I have added skey to the /etc/make.conf  use settings.  And then I recompiled openssh and then installed skey.  

But for some reason it does not ask me for the skey,  how do i tell it to ask for my skey?

----------

## sschlueter

 *taviso wrote:*   

> 
> 
> If you were to login using someones trojaned ssh client, OTP can help minimise the damage, although someone may still be able to see your session (probably not that much use), they will not be able to compromise your account.
> 
> 

 

I think you are spreading a false sense of security here. When the ssh client is trojaned, it can not only watch the session but also insert custom commands. The user's account can easily be compromised this way.

----------

## funkmankey

hrm, is it possible to make sshd use one form of auth for WAN (e.g. skey) and one for LAN (e.g. RSA pubkey)?

...or would it be necessary to bind a separate instance of sshd to each particular IF?

----------

## bryon

I do not see how  bindign openssh to ethX would help at all, sine they would be reading from the same password.  Form looking at the sshd config it does not look like you can bind a instance of sshd to ethx but you could bind it to only listen to a certain ip.  But then you would have to figure out how to make each of them read from a diffrent passwd file.

I am also still looking for an answer to my previous question.  

The quesiton was: I have emerge skey, then I put use flag skey into the /etc/make.conf .  Then I remerged openssh.  But I still only get the prompt for the regular passowrd.  What do I have to do to make it ask for my skey password?

----------

## taviso

 *bryon wrote:*   

> I have emerge skey, then I put use flag skey into the /etc/make.conf .  Then I remerged openssh.  But I still only get the prompt for the regular passowrd.  What do I have to do to make it ask for my skey password?

 

do you have the pam USE flag set? If you do, enable pam in your /etc/ssh/sshd_config, as in the post above.

If you havn't, have you set up skey logins for the user your trying to login for? (ie, skeyinit)

try logging in with `ssh -v` do you get a line like

```
debug1: Authentications that can continue: publickey,password,keyboard-interactive
```

for example, heres the output from mine when i remove my ssh-key from my ssh-agent:

```
$ ssh -v phobiac

OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003

debug1: Reading configuration data /home/taviso/.ssh/config

debug1: Applying options for *

debug1: Applying options for phobiac

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to phobiac [192.168.0.3] port 22.

debug1: Connection established.

debug1: identity file /home/taviso/.ssh/id_rsa type -1

debug1: identity file /home/taviso/.ssh/id_dsa type 2

debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2

debug1: match: OpenSSH_3.7.1p2 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client blowfish-cbc hmac-md5 zlib

debug1: kex: client->server blowfish-cbc hmac-md5 zlib

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'phobiac' is known and matches the RSA host key.

debug1: Found key in /home/taviso/.ssh/known_hosts:14

debug1: ssh_rsa_verify: signature correct

debug1: Enabling compression at level 6.

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /home/taviso/.ssh/id_rsa

debug1: Offering public key: /home/taviso/.ssh/id_dsa

debug1: Server accepts key: pkalg ssh-dss blen 434

debug1: PEM_read_PrivateKey failed

debug1: read PEM private key done: type <unknown>

Enter passphrase for key '/home/taviso/.ssh/id_dsa': 

debug1: Next authentication method: keyboard-interactive

otp-md4 48 phob99910

S/Key Password: 

```

----------

## m33sb3w

Hmm...I have a question and I can't seem to find any documentation for skey that answers it...

When you first type skeyinit as a normal user it asks for a password.  What password is that?  I've tried the password for my normal user account, the root password, leaving it blank.  Nothing works.  It just tells me the password is incorrect and that's it.  Anyone know what's going on?

----------

## taviso

 *m33sb3w wrote:*   

> When you first type skeyinit as a normal user it asks for a password.  What password is that?

 

The first password skeyinit asks for is your login password, then it will ask you to make a new secret password that you will need to generate new otp's.

```
$ skeyinit

Password: yourloginpassword

[Updating taviso]

Old key: [md4] inso843904

Reminder - Only use this method if you are directly connected

or have an encrypted channel.  If you are using telnet

or rlogin, exit with no password and use skeyinit -s.

Enter secret password: passwordforgeneratingskeys
```

----------

## Auka

Just in case someone is interested: A former colleague of mine wrote a tool called Mobile OTP which can be used for OTP authentication using java-enabled cellular phones. Quite nifty...  :Wink: 

----------

## m33sb3w

 *taviso wrote:*   

> The first password skeyinit asks for is your login password, then it will ask you to make a new secret password that you will need to generate new otp's.

 

I hate to be a bother, but something's just not working.  I've made certain I'm not making any stupid mistakes like caps lock on or anything.  skeyinit just won't accept my password.  It just kicks me out and says Inncorect password.  I've made certain I'm not making any stupid mistakes like caps lock on or anything.

Could this be an issue with pam and the 2.6-test kernels?  I recall having the same trouble with xlock.  My normal user or root passwords weren't recognized.  The new version of pam fixed that, though, so I'm not sure if that's what's going on here. 

Relevant information:

2.6-test5-mm1

pam 0.77

openssh 3.7.1_p2

skey 1.1.5

shadow 4.0.3-r6

----------

## taviso

 *m33sb3w wrote:*   

> I hate to be a bother, but something's just not working.  I've made certain I'm not making any stupid mistakes like caps lock on or anything.  skeyinit just won't accept my password.

 

I think I know whats going on, please sync and try the latest skey and openssh, which I hope fixes this.

----------

## m33sb3w

 *taviso wrote:*   

> I think I know whats going on, please sync and try the latest skey and openssh, which I hope fixes this.

 

I did indeed fix it!  Thank you very much for your help.

----------

## m33sb3w

Well, now that skey is working and generating passwords I'm trying to get sshd to ask for the opt's when I log in.  However, it would seem I'm having the same trouble as senso and byron.  Here is what

```
ssh -v my-computer -l eric
```

says (I've changed or deleted names and ips):

```
OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f

debug: Reading configuration data /usr/local/etc/ssh_config

debug: ssh_connect: getuid 1079 geteuid 0 anon 0

debug: Connecting to my-computer [xxx.xxx.xxx.xxx] port 22.

debug: Seeded RNG with 34 bytes from programs

debug: Seeded RNG with 3 bytes from system calls

debug: Allocated local port 611.

debug: Connection established.

debug: identity file /users/xxxxxxx/.ssh/identity-astro2 type 3

debug: identity file /users/xxxxxxx/.ssh/id_dsa-astro2 type 3

debug: identity file /users/xxxxxxx/.ssh/id_rsa1-astro2 type 3

debug: identity file /users/xxxxxxx/.ssh/id_rsa2-astro2 type 3

debug: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p2

debug: match: OpenSSH_3.7.1p2 pat ^OpenSSH

debug: Local version string SSH-1.5-OpenSSH_2.5.1p2

debug: Waiting for server public key.

debug: Received server public key (768 bits) and host key (1024 bits).

debug: Host 'my-computer' is known and matches the RSA1 host key.

debug: Found key in /users/xxxxxxx/.ssh/known_hosts:1

debug: Seeded RNG with 34 bytes from programs

debug: Seeded RNG with 3 bytes from system calls

debug: Encryption type: 3des

debug: Sent encrypted session key.

debug: Installing crc compensation attack detector.

debug: Received encrypted confirmation.

debug: Doing password authentication.
```

Here is my sshd_config:

```

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

#Protocol 2,1

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

LoginGraceTime 60

PermitRootLogin no

#StrictModes yes

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)

# and session processing. Depending on your PAM configuration, this may

# bypass the setting of 'PasswordAuthentication'

UsePAM yes

#AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem       sftp    /usr/lib/misc/sftp-server
```

And my ssh_config:

```

# Host *

#   ForwardAgent no

#   ForwardX11 no

#   RhostsAuthentication no

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   BatchMode no

#   CheckHostIP yes

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes25$

#   EscapeChar ~

PreferredAuthentications "keyboard-interactive,hostbased,publickey,password"

```

ssh works now, with these settings.  However, I have the felling I may be missing something.  I'd really appreciate any help you can give whenever you get the chance.

Eric

----------

## tdb

I had the same problems as a few others; skey made keys just fine but SSH doesn't ask for them.  All I got was the standard password prompt. On a whim, I just hit enter without entering anything for the password. The very next prompt was for the skey password. It looks like SSHd is asking for the regular password first before going to skey.

Also, let me get this straight:

keyboard_interactive = skey (and not regular password)

password = regular password

right?

----------

## m33sb3w

 *tdb wrote:*   

> I had the same problems as a few others; skey made keys just fine but SSH doesn't ask for them.  All I got was the standard password prompt. On a whim, I just hit enter without entering anything for the password. The very next prompt was for the skey password. It looks like SSHd is asking for the regular password first before going to skey.

 

Hmm, I can't even get mine to do that.  Of course it wouldn't solve the problem anyway unless you put the message "If you are trying to get into my computer with my login password, I ask that you please ignore that, hit enter, and be frustrated by the new one-time password system"    :Very Happy: 

----------

## tdb

That would be funy, but I have enough legalease on my issue.net .

But let me ask you. Is there a way to get this for local console logins?

----------

## m33sb3w

I've been fooling around with this issue again recently but I still can't get it to ask for my otp and _only_ my otp, so I thought I'd bump this up, see if there are any new ideas.

----------

## melts

This is just a bit of extra help explaining things, hope it helps

- here's what i did

```
$ su

# nano -w /etc/make.conf 
```

edited use="skey" (well added skey to my flags - i already had pam in there)

edited accept_keywords="~x86"

saved and exited

```
# emerge skey

# emerge openssh

# /etc/init.d/sshd restart

# exit

$ skeyinit
```

entered my account passwd when asked

then made up a 10+ char secret password for skey to hash, entered that twice (and you have to remember this password, indeed)

it then gave me 

```
ID melts skey is otp-md4 99 oni123456

RIME OUT HIT IQ TAN TREE
```

then i

```
$ skey 98 oni123456 
```

and i got asked for that secret password again

and then i got

```
KEG CHEF CALF SHE MOLL HANK
```

then i logged in to my box again with puTTY, and when it asked for my username i gave it melts

then at the password: prompt i hit enter

then got

```
opt-md4 98 oni123456

S/Key Password:
```

i entered the skey ones i made (KEG CHEF CALF SHE MOLL HANK) and i was in

it looks pretty cool, i was just confused as to why it didn't ask me for the 99 one that was created by the skeyinit

and i had to figure out what skey wanted to build a key - you need to give it the key number and the key, the HOST123456 bit - but once that and the fact i needed to build a key before i could use it was sorted out, it worked fine   :Smile: 

----------

## m33sb3w

 *melts wrote:*   

> then i logged in to my box again with puTTY, and when it asked for my username i gave it melts
> 
> then at the password: prompt i hit enter
> 
> then got
> ...

 

Still though, that really doesn't solve anything.  You said at the 'password:' prompt you hit enter to get the skey password prompt.  I don't see how this secures the box any better if there's still the option to enter the normal password to get in.

Does anyone know how to completely disable the normal login password over ssh?

----------

## melts

hrm, the OTP is more for preventing snooped passwords from being used to access your box, is it not?

i think i understand what you want to use it for, but wouldn't having a list of OTP's always at hand and remembering to renew them and so on make normal use impractical?

also, look at this; the OTP system's word list is 2048 words long and always 6 long, while a password can have any of the 95 lower and uppercase letters, numbers, punctuation and symbols.

73786976294838206464 = 2048^6

735091890625 = 95^6

5688000922764599609375 = 95^11 

using an 11 letter/symbol password isn't all that hard, and raises the bar by many factors. I don't know how crackable the OTP hashes are, but using just the words that is a look at security. (also, i can remember my password in my head, but you'd almost always need a copy of your OTP's written down... I work at a school, writing passwords down just doesn't do it for me)

if you need to secure your box make better password rules and longer passwords, that seems more reasonable. I personally use OTP's for logins on machines other than my own, and i could see a use as a way of recovering a forgotton password on a user network (create and print out each users S/Key and tell them to look after if for passwd recovery, etc) but i don't use it to make my box harder to hack. On top of a defined word list and word count, S/Key provides a key to be combined with the secret to make the password, and although i'm not a crypto expert at all, the idea that any info is supplied that works with generating a password would just seem even less secure... just a thought.

However, i'm looking at kerberos logins with SSH and i would like to change the order in which authentication systems are presented, so if i figure it out i'll post it in my network login thread and here

----------

## Yarrick

same problem as tdb. ssh -v localhost gives:

```
debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /home/yarrick/.ssh/identity

debug1: Offering public key: /home/yarrick/.ssh/id_rsa

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Offering public key: /home/yarrick/.ssh/id_dsa

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: keyboard-interactive

Password: 

otp-md5 97 bout08946

S/Key Password: 

debug1: Authentications that can continue: publickey,keyboard-interactive

Password: 

otp-md5 97 bout08946

S/Key Password: 
```

that first password request i from pam i believe.. this is the same password prompt as when logging in on a real console

edit: the normal ssh passwd prompt is "user@host's password:"

----------

## taviso

 *Yarrick wrote:*   

> same problem as tdb.

 

I'll be honest, I don't remember how I configured sshd to change the order of authentication methods, so I'll post my sshd_config and maybe you can help me work it out!  :Smile: 

```
Port 22

Protocol 2

ListenAddress 0.0.0.0

LoginGraceTime 1m

PermitRootLogin no

StrictModes yes

RSAAuthentication no

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

HostbasedAuthentication no

IgnoreRhosts yes

PermitEmptyPasswords no

ChallengeResponseAuthentication yes

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding no

PrintMotd yes

PrintLastLog yes

KeepAlive yes

UsePrivilegeSeparation yes

PermitUserEnvironment yes

Compression yes

UseDNS yes

UsePAM no

MaxStartups 5

Subsystem       sftp    /usr/lib/misc/sftp-server
```

and my USE flags:

```
$ etcat -u openssh

[ Colour Code : set unset ]

[ Legend   : (U) Col 1 - Current USE flags        ]

[          : (I) Col 2 - Installed With USE flags ]

 U I [ Found these USE variables in : net-misc/openssh-3.7.1_p2-r2 ]

 - - ipv6     : Adds support for IP version 6

 - - static   : !!do not set this during bootstrap!! Causes things to be statically linked instead of dynamically

 - - pam      : Adds support PAM (Pluggable Authentication Modules)

 - - tcpd     : Adds support for TCP wrappers

 - - kerberos : Adds kerberos support

 + + skey     : Enable S/Key (Single use password) authentication support

 - - selinux  : !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur

 - - X509     : Adds support for X.509 certificate authentication

 - - chroot   : Enable chrooting support.
```

Hopefully we can figure this out  :Smile: 

----------

## Yarrick

pam was the problem. remerging openssh without pam gave me the skey prompt directly.

----------

## hashier

Hey,

if I put the following in the /etc/ssh/ssh_config, than would normal login still be available, also if compiled _without_ pam.

PreferredAuthentications "publickey,password,keyboard-interactive"

With this line:

hashier@blackbird hashier $ ssh localhost

hashier@localhost's password: 

Without:

hashier@blackbird hashier $ ssh localhost

otp-md4 94 blac19836

S/Key Password:

----------

## gmtl3

I'm having the same problem as some of the other poster's.  It's asking for my password, before/instead of my skey response.  I'm assuming this is a PAM issue, not an ssh issue.  I'm now trying to figure out how to tell PAM to only offer skey, not password, for ssh.  I have an /etc/pam.d/sshd file, so I'm assuming it's just a matter of tweaking the settings for that file.

Any help would be appreciated.

Thanks,

----------

## beastmaster

an excellent thread, definitely need a bump-up   :Very Happy: 

I'm gonna try it soon    :Very Happy: 

----------

## nevynxxx

 *taviso wrote:*   

> Did you audit and compile that ssh client at work yourself? Are you sure the guys from IT havnt installed some key logging software, or tampered with your keyboard? You cant be certain someone isnt harvesting passwords before ssh even has a chance to do its stuff.
> 
> 

 

1) I am the IT staff at work  :Smile: 

2) yes I did "audit" the ssh client, its called putty and has the correct md5 sum.

3) I keep my copy of putty on a usb key, which I keep about my person. Along with my usb key and a few other useful utils.

4) it uses public key authentication, not password, nope. Thats entered into another prog, the auth agent, which yes I did also verify.

@ the person who doesn't trust his admins because they have VNC installed on winxp machines.

1) how large an area do they admin? Remote control is *very* useful if you cover a large area.

2) VNC is the best remote control system there is, and its freeware. A good combination in anyones book. If they have a few unix workstations around (their own boxes?) then it even better as they can do their job without having to be in windows.

Also, if you double click the VNC icon, you should be able to look at (please don't change:) ) the settings, like disbale keyboard and stuff, the dodgy one is if they disable their keyboard and leave yours active, that means they are looking, if they disable yours, that means they are helping.

----------

## gmtl3

Still digging on this.  I noticed that FreeBSD has an /etc/skey.access file that enables you to control whether or not password is a valid option.  Of course, the code that gentoo uses is an OpenBSD port and I don't see that feature.

It's driving me nuts that I can't turn on skey without also turning on password, and it's even more infuriating that it asks me for a password first.  Ughh!

----------

## ulm

This topic is ages old, however I believe it is still useful if I reply to this.

The problem is that PAM is not properly switched off by the "UsePAM no" option in sshd_config. I have reported this as bug 65343.

However, as a workaround, the following works for me:

1. Unset the "pam" use flag for openssh (in /etc/portage/package.use).

2. In sshd_config, set "PasswordAuthentication no" and "ChallengeResponseAuthentication yes". (The "UsePAM" option should be commented out.)

----------

## gmtl3

Thanks for the reply.  I had not found a fix for this yet.  While your note makes sense as a work around, I was hoping to find a solution that used PAM.  I am baffled as to how the ssh PAM config allows Skey to be used through PAM at all, not to mention why it is a lower choice than password.

Oh well, thanks again.

----------

## jago25_98

Got skey prompting on ssh login but,

skey doesn't seem to be accepting my password. It seems to be asking for an earlier numbered password in the list:

```

betty.net[~] $ skeyinit  -n 4  

Password: 

[Updating work]

Old key: [md5] bett30526

Reminder - Only use this method if you are directly connected

or have an encrypted channel.  If you are using telnet

or rlogin, exit with no password and use skeyinit -s.

Enter secret password: 

Again secret password: 

ID work skey is otp-md5 4 bett30527

Next login password: FRAU WEAR GAIT OLAF GONE DINE

betty.net[~] $ skey 4 bett30527

Reminder - Do not use this program while logged in via telnet or rlogin.

Enter secret password: 

FRAU WEAR GAIT OLAF GONE DINE

betty.net[~] $ ssh 127.0.0.1

The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.

RSA key fingerprint is e6:c3:6a:04:f0:78:03:a9:51:2b:9c:9c:f8:af:ee:3c.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.

otp-md5 3 bett30527

S/Key Password: 

otp-md5 3 bett30527

S/Key Password: 

otp-md5 3 bett30527

S/Key Password: 

Permission denied (publickey,keyboard-interactive).

betty.net[~] $ 

```

I've tried both typing and pasting the password. I've also tried removing the spaces too.

Any ideas?

----------

## justanothergentoofanatic

 *Quote:*   

> betty.net[~] $ skey 4 bett30527
> 
> FRAU WEAR GAIT OLAF GONE DINE

 

Here you are generating OTP #4...

 *Quote:*   

> 
> 
> S/Key Password:
> 
> otp-md5 3 bett30527
> ...

 

But it is asking for OTP #3. So, you need to do:

skey 3 bett30527

to get the correct password.

 *Quote:*   

> It seems to be asking for an earlier numbered password in the list:

 

It is asking for a later numbered password in the list (it counts down to 0). I don't understand why, but skey always seems to always throw away the first OTP it generates. This might be a bug.

-Mike

----------

## justanothergentoofanatic

 *gmtl3 wrote:*   

> Thanks for the reply.  I had not found a fix for this yet.  While your note makes sense as a work around, I was hoping to find a solution that used PAM. 

 

Basically, PAM support in sshd is and has always been buggy.

 *Quote:*   

> I am baffled as to how the ssh PAM config allows Skey to be used through PAM at all, not to mention why it is a lower choice than password.

 

A wild (and probably incorrect) guess: when you don't enter a password, PAM returns authinfo_unavail. Sshd interprets this as a request for more login information, so it switches to its next available authentication system (skey) and prompts for a password.

-Mike

----------

