Pam - otpw -ssh

**nimdardo** · 08-16-2012

I don't know if I'm at the right place with my question, it's kind of interdisciplinary.

To explain my problem - finally I have to provide access to an embedded system running a custom debian linux on ARM. I have to grant access over SSH (Installed Openssh 6.0p1 with OpenSSL 0.9.8k) using PAM in combination with a one-time-password (OTPW library).

I am faceing some problems now during the configuration, in fact i configurated the files as following:

in /etc/pam.conf

Code:

#
# The PAM configuration file for the `login' service
#
login   auth       requisite  pam_securetty.so
login   auth       required   pam_nologin.so
login   auth       sufficent  pam_unix.so
login   auth       required   pam_unix.so
login   auth       optional   pam_group.so
login   account    requisite  pam_time.so
login   account    required   pam_unix.so
login   password   required   pam_cracklib.so retry=3
login   password   required   pam_unix.so shadow md5 use_authtok
login   session    required   pam_unix.so

#
# The PAM configuration file for the `sshd' service
#
sshd    auth       required   pam_otpw.so
sshd    session    optional   pam_otpw.so

and in /etc/sshd_config

Code:

ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePrivilegeSeparation no
UsePAM yes

but nothing happened. I can connect over SSH, but always with the default root password. i suppose my system isnt using PAM at all... what can i do to force the system to use PAM?

thanks, simon

**gettyUp** · 08-24-2012

Is this already set in sshd_config:

Code:

PAMAuthenticationViaKbdInt      yes

And have you tried forcing openssh client to use pam:

Code:

ssh -o PreferredAuthentications=keyboard-interactive

**nimdardo** · 08-27-2012

hej,

thanks for your reply. the first tip: if i add this command i cannot start sshd and linux complains that the option is deprecated.
i also tried the second tip but i get an access denied message then. but i can say now that the system uses pam - i used strace to check and its accessing the librarys. over that, we tested on a ubuntu machine (openssh - pam - otpw running), copied the configs and its still not working. so it might be more sort of a cross-compile / distribution problem...

**gettyUp** · 08-27-2012

can you verify your steps against this:

Using One-Time Passwords with SSH on Ubuntu

also, can you try configuring /etc/pam.d/su to see if the problem is with ssh or otpw?

**nimdardo** · 08-30-2012

alright, i'll check that in the nearer future, I decided to wait a bit with this issue, there are other, more important ones to resolve first

thanks already, i will keep you up to date in case of any news...

**nimdardo** · 09-20-2012

so, i attacked the topic again & found out that it is most probably a compilation problem of pam_otpw.so which is not somehow known for libpam. my further steps is now to include the otpw package in the makefile of the other pam modules, which is hopefully not a huuuge thing (gk, makefile hacking)

**nimdardo** · 10-01-2012

update again to my monologue (maybe its serving anyones need anytime, so i'll post my updates). I found out with

Code:

readelf -a

and

Code:

strace

and the debug option of pam_otpw that it was a problem at the compilation & succeded in recompiling. now I'm a big step ahead. I get the output on the console where i demand for connection to enter a specific password. when i enter the password, its getting accepted but then i was told that the user account is expired.

Code:

Oct  1 13:52:24 arm926 sshd(pam_otpw)[828]: pam_sm_authenticate called, flags=1
Oct  1 13:52:24 arm926 sshd(pam_otpw)[828]: username is root
Oct  1 13:52:24 arm926 sshd(pam_otpw)[828]: uid=0, euid=0, gid=0, egid=0
Oct  1 13:52:25 arm926 sshd(pam_otpw)[828]: challenge: 052
Oct  1 13:52:25 arm926 sshd(pam_otpw)[828]: calling conversation function
Oct  1 13:52:45 arm926 sshd(pam_otpw)[828]: conversation function returned 0
Oct  1 13:52:45 arm926 (pam_otpw)[828]: Password 0 = 'vAHvBSwf'
Oct  1 13:52:45 arm926 (pam_otpw)[828]: Prefix = ''
Oct  1 13:52:45 arm926 (pam_otpw)[828]: hash(password): 'poUCZYHzcbL:', hash from file: 'poUCZYHzcbL:'
Oct  1 13:52:45 arm926 (pam_otpw)[828]: Entered password(s) are ok.
Oct  1 13:52:46 arm926 (pam_otpw)[828]: Removing lock file
Oct  1 13:52:46 arm926 sshd(pam_otpw)[828]: password matches
Oct  1 13:52:46 arm926 sshd[825]: error: PAM: User account has expired for root from 160.98.71.64
Oct  1 13:52:46 arm926 sshd[825]: Connection closed by 160.98.71.64

This was the resulting output:

Code:

simon@simon:~$ ssh root@160.98.71.76 
Password 052: 
Permission denied (publickey,keyboard-interactive).

I was browsing around and found out, that I could change the fallback option in "common-accout" from pam_deny.so to pam_permit.so and the result was like that:

Code:

Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: pam_sm_authenticate called, flags=1
Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: username is root
Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: uid=0, euid=0, gid=0, egid=0
Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: challenge: 145
Oct  1 16:11:26 arm926 sshd(pam_otpw)[633]: calling conversation function
Oct  1 16:11:41 arm926 sshd(pam_otpw)[633]: conversation function returned 0
Oct  1 16:11:41 arm926 (pam_otpw)[633]: Password 0 = 'wTM3geNV'
Oct  1 16:11:41 arm926 (pam_otpw)[633]: Prefix = ''
Oct  1 16:11:41 arm926 (pam_otpw)[633]: hash(password): 'c6QjXuNSX3ci', hash from file: 'c6QjXuNSX3ci'
Oct  1 16:11:41 arm926 (pam_otpw)[633]: Entered password(s) are ok.
Oct  1 16:11:41 arm926 (pam_otpw)[633]: Removing lock file
Oct  1 16:11:41 arm926 sshd(pam_otpw)[633]: password matches
Oct  1 16:11:41 arm926 sshd[630]: Accepted keyboard-interactive/pam for root from 160.98.71.64 port 49393 ssh2
Oct  1 16:11:42 arm926 sshd(pam_otpw)[630]: pam_sm_open_session called, flags=0
Oct  1 16:11:42 arm926 sshd(pam_otpw)[630]: pam_get_data() failed
Oct  1 16:11:42 arm926 sshd[630]: error: PAM: pam_open_session(): Permission denied
Oct  1 16:11:44 arm926 sshd[630]: Received disconnect from 160.98.71.64: 11: disconnected by user

Code:

simon@simon:~$ ssh root@160.98.71.76 
Password 253: 
Last login: Mon Oct  1 15:58:39 2012 from 160.98.71.64
Welcome!
Connection to 160.98.71.76 closed.

as you can see, i get a welcome message, which is the content of the file /etc/motd. But i get disconnected immediately... Does anyone know more?

And finally, when i replace pam_otpw.so with pam_unix.so, i can log in into the system without problem...

cheers, simon

**nimdardo** · 10-10-2012

to finish my monologue - i finally got it running - by replacing the session login-library to pam_unix.so so my pam.d/sshd looks like that:

Code:

#
# The PAM configuration file for the `sshd' service
#
sshd    auth       required   pam_otpw.so
sshd    session    optional   pam_unix.so

and everything seems to work as it should. i suppose its still a problem due to the cross-compilation, but as mentionned above - everything seems to work as it should. cheers & thanks for the place to write down my worries

finally solved...

Thread Tools

Display

Pam - otpw -ssh

Posting Permissions