Subject: Re: How to enable s/key with sshd on NetBSD-3.0BETA?
To: Cheese Lottery <>
From: Geert Hendrickx <>
List: netbsd-users
Date: 10/04/2005 08:50:54
On Mon, Oct 03, 2005 at 03:14:25PM -0700, Cheese Lottery wrote:
> I'm using NetBSD-3.0BETA.
> What is required to enable s/key authentication for sshd? The top
> portion of my /etc/pam.d/sshd looks like this:
> # auth
> auth            required  no_warn
> auth            sufficient
> auth            sufficient     no_warn try_first_pass
> # pam_ssh has potential security risks.  See pam_ssh(8).
> #auth           sufficient      no_warn try_first_pass
> auth            required     no_warn try_first_pass
> In /etc/ssh/sshd_config, ChallengeResponseAuthentication is explictly
> set to yes (the man page states the default is yes). 
> PasswordAuthentication is set to no.
> S/key should work:
> $ skeyinfo
> Your next otp-md4 98 anti74858
> However:
> $ ssh localhost
> socket: Protocol not supported
> Permission denied (publickey,keyboard-interactive).

If you also want to allow regular passwords, all you have to do is enable
s/key (with skeyinit), without modifying any other files.  sshd will first
prompt for your password, and if you just hit enter at that prompt, ask for
a one-time password.