Subject: Re: How to enable s/key with sshd on NetBSD-3.0BETA?
To: Cheese Lottery <firstname.lastname@example.org>
From: Geert Hendrickx <email@example.com>
Date: 10/04/2005 08:50:54
On Mon, Oct 03, 2005 at 03:14:25PM -0700, Cheese Lottery wrote:
> I'm using NetBSD-3.0BETA.
> What is required to enable s/key authentication for sshd? The top
> portion of my /etc/pam.d/sshd looks like this:
> # auth
> auth required pam_nologin.so no_warn
> auth sufficient pam_skey.so
> auth sufficient pam_krb5.so no_warn try_first_pass
> # pam_ssh has potential security risks. See pam_ssh(8).
> #auth sufficient pam_ssh.so no_warn try_first_pass
> auth required pam_unix.so no_warn try_first_pass
> In /etc/ssh/sshd_config, ChallengeResponseAuthentication is explictly
> set to yes (the man page states the default is yes).
> PasswordAuthentication is set to no.
> S/key should work:
> $ skeyinfo
> Your next otp-md4 98 anti74858
> $ ssh localhost
> socket: Protocol not supported
> Permission denied (publickey,keyboard-interactive).
If you also want to allow regular passwords, all you have to do is enable
s/key (with skeyinit), without modifying any other files. sshd will first
prompt for your password, and if you just hit enter at that prompt, ask for
a one-time password.