Find the answer to your Linux question:
Results 1 to 8 of 8
I don't know if I'm at the right place with my question, it's kind of interdisciplinary. To explain my problem - finally I have to provide access to an embedded ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2012
    Posts
    9

    Pam - otpw -ssh


    I don't know if I'm at the right place with my question, it's kind of interdisciplinary.

    To explain my problem - finally I have to provide access to an embedded system running a custom debian linux on ARM. I have to grant access over SSH (Installed Openssh 6.0p1 with OpenSSL 0.9.8k) using PAM in combination with a one-time-password (OTPW library).

    I am faceing some problems now during the configuration, in fact i configurated the files as following:

    in /etc/pam.conf
    Code:
    #
    # The PAM configuration file for the `login' service
    #
    login   auth       requisite  pam_securetty.so
    login   auth       required   pam_nologin.so
    login   auth       sufficent  pam_unix.so
    login   auth       required   pam_unix.so
    login   auth       optional   pam_group.so
    login   account    requisite  pam_time.so
    login   account    required   pam_unix.so
    login   password   required   pam_cracklib.so retry=3
    login   password   required   pam_unix.so shadow md5 use_authtok
    login   session    required   pam_unix.so
    
    #
    # The PAM configuration file for the `sshd' service
    #
    sshd    auth       required   pam_otpw.so
    sshd    session    optional   pam_otpw.so
    and in /etc/sshd_config

    Code:
    ChallengeResponseAuthentication yes
    PasswordAuthentication no
    UsePrivilegeSeparation no
    UsePAM yes
    but nothing happened. I can connect over SSH, but always with the default root password. i suppose my system isnt using PAM at all... what can i do to force the system to use PAM?

    thanks, simon

  2. #2
    Just Joined!
    Join Date
    Oct 2006
    Posts
    32
    Is this already set in sshd_config:

    Code:
    PAMAuthenticationViaKbdInt      yes
    And have you tried forcing openssh client to use pam:

    Code:
    ssh -o PreferredAuthentications=keyboard-interactive

  3. #3
    Just Joined!
    Join Date
    Aug 2012
    Posts
    9
    hej,

    thanks for your reply. the first tip: if i add this command i cannot start sshd and linux complains that the option is deprecated.
    i also tried the second tip but i get an access denied message then. but i can say now that the system uses pam - i used strace to check and its accessing the librarys. over that, we tested on a ubuntu machine (openssh - pam - otpw running), copied the configs and its still not working. so it might be more sort of a cross-compile / distribution problem...

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Oct 2006
    Posts
    32
    can you verify your steps against this:

    Using One-Time Passwords with SSH on Ubuntu

    also, can you try configuring /etc/pam.d/su to see if the problem is with ssh or otpw?

  6. #5
    Just Joined!
    Join Date
    Aug 2012
    Posts
    9
    alright, i'll check that in the nearer future, I decided to wait a bit with this issue, there are other, more important ones to resolve first thanks already, i will keep you up to date in case of any news...

  7. #6
    Just Joined!
    Join Date
    Aug 2012
    Posts
    9
    so, i attacked the topic again & found out that it is most probably a compilation problem of pam_otpw.so which is not somehow known for libpam. my further steps is now to include the otpw package in the makefile of the other pam modules, which is hopefully not a huuuge thing (gk, makefile hacking)

  8. #7
    Just Joined!
    Join Date
    Aug 2012
    Posts
    9
    update again to my monologue (maybe its serving anyones need anytime, so i'll post my updates). I found out with
    Code:
    readelf -a
    and
    Code:
    strace
    and the debug option of pam_otpw that it was a problem at the compilation & succeded in recompiling. now I'm a big step ahead. I get the output on the console where i demand for connection to enter a specific password. when i enter the password, its getting accepted but then i was told that the user account is expired.
    Code:
    Oct  1 13:52:24 arm926 sshd(pam_otpw)[828]: pam_sm_authenticate called, flags=1
    Oct  1 13:52:24 arm926 sshd(pam_otpw)[828]: username is root
    Oct  1 13:52:24 arm926 sshd(pam_otpw)[828]: uid=0, euid=0, gid=0, egid=0
    Oct  1 13:52:25 arm926 sshd(pam_otpw)[828]: challenge: 052
    Oct  1 13:52:25 arm926 sshd(pam_otpw)[828]: calling conversation function
    Oct  1 13:52:45 arm926 sshd(pam_otpw)[828]: conversation function returned 0
    Oct  1 13:52:45 arm926 (pam_otpw)[828]: Password 0 = 'vAHvBSwf'
    Oct  1 13:52:45 arm926 (pam_otpw)[828]: Prefix = ''
    Oct  1 13:52:45 arm926 (pam_otpw)[828]: hash(password): 'poUCZYHzcbL:', hash from file: 'poUCZYHzcbL:'
    Oct  1 13:52:45 arm926 (pam_otpw)[828]: Entered password(s) are ok.
    Oct  1 13:52:46 arm926 (pam_otpw)[828]: Removing lock file
    Oct  1 13:52:46 arm926 sshd(pam_otpw)[828]: password matches
    Oct  1 13:52:46 arm926 sshd[825]: error: PAM: User account has expired for root from 160.98.71.64
    Oct  1 13:52:46 arm926 sshd[825]: Connection closed by 160.98.71.64
    This was the resulting output:

    Code:
    simon@simon:~$ ssh root@160.98.71.76 
    Password 052: 
    Permission denied (publickey,keyboard-interactive).
    I was browsing around and found out, that I could change the fallback option in "common-accout" from pam_deny.so to pam_permit.so and the result was like that:

    Code:
    Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: pam_sm_authenticate called, flags=1
    Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: username is root
    Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: uid=0, euid=0, gid=0, egid=0
    Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: challenge: 145
    Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: calling conversation function
    Oct  1 16:11:41 arm926 sshd(pam_otpw)[633]: conversation function returned 0
    Oct  1 16:11:41 arm926 (pam_otpw)[633]: Password 0 = 'wTM3geNV'
    Oct  1 16:11:41 arm926 (pam_otpw)[633]: Prefix = ''
    Oct  1 16:11:41 arm926 (pam_otpw)[633]: hash(password): 'c6QjXuNSX3ci', hash from file: 'c6QjXuNSX3ci'
    Oct  1 16:11:41 arm926 (pam_otpw)[633]: Entered password(s) are ok.
    Oct  1 16:11:41 arm926 (pam_otpw)[633]: Removing lock file
    Oct  1 16:11:41 arm926 sshd(pam_otpw)[633]: password matches
    Oct  1 16:11:41 arm926 sshd[630]: Accepted keyboard-interactive/pam for root from 160.98.71.64 port 49393 ssh2
    Oct  1 16:11:42 arm926 sshd(pam_otpw)[630]: pam_sm_open_session called, flags=0
    Oct  1 16:11:42 arm926 sshd(pam_otpw)[630]: pam_get_data() failed
    Oct  1 16:11:42 arm926 sshd[630]: error: PAM: pam_open_session(): Permission denied
    Oct  1 16:11:44 arm926 sshd[630]: Received disconnect from 160.98.71.64: 11: disconnected by user
    Code:
    simon@simon:~$ ssh root@160.98.71.76 
    Password 253: 
    Last login: Mon Oct  1 15:58:39 2012 from 160.98.71.64
    Welcome!
    Connection to 160.98.71.76 closed.
    as you can see, i get a welcome message, which is the content of the file /etc/motd. But i get disconnected immediately... Does anyone know more?

    And finally, when i replace pam_otpw.so with pam_unix.so, i can log in into the system without problem...

    cheers, simon

  9. #8
    Just Joined!
    Join Date
    Aug 2012
    Posts
    9
    to finish my monologue - i finally got it running - by replacing the session login-library to pam_unix.so so my pam.d/sshd looks like that:

    Code:
    #
    # The PAM configuration file for the `sshd' service
    #
    sshd    auth       required   pam_otpw.so
    sshd    session    optional   pam_unix.so
    and everything seems to work as it should. i suppose its still a problem due to the cross-compilation, but as mentionned above - everything seems to work as it should. cheers & thanks for the place to write down my worries
    finally solved...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •