Subject: Re: A couple of security-related issues.
To: Richard Rauch <firstname.lastname@example.org>
From: Manuel Bouyer <email@example.com>
Date: 12/26/2000 20:32:31
On Sun, Dec 24, 2000 at 05:25:34PM -0600, Richard Rauch wrote:
> > > I seem to remember reading about One Time Passwords as a feature
> > > of kerberos. I decided that it sounded a bit over the top to
> > No, it's skey. It's also here for telnet and rlogin.
> Ah. And is it OpenSSH or the remote sshd that is giving the
> less-than-helpful ``OTP'' prompt?
Don't know. what does it say when you connect using the -v flag ?
> > > a reason that I should want OpenSSH to do this? (Or am I missing
> > > the point of one-time passwords?)
> > >
> > > (OpenSSH only does this with some hosts. My other computer is still
> > > on 1.5_ALPHA with ssh[d], and doesn't do the ``otp'' stuff to me.)
> > >
> > > I couldn't see any options in ssh's man-page that seemed to govern
> > > this...
> > I've run into this as well, and discovered it falled back to otp when
> > the login is invalid. I've found several reasons for a login to be invalid:
> > unknown login, the shell doesn't exists (it took some time to find this
> > one :), ...
> > Check that you can properly log on the console.
> The console of the remote machine? I don't have access to that
> (physically). I suppose that I wasn't very clear about the situation
> w.r.t. the machines. I have two NetBSD machines, here (one on 1.5, on e
> on 1.5_ALPHA). They interoperate nicely. I have access to several remote
> machines at KU. We'll call one of them ``tesla'' (because that happens to
> be its name). I don't know where tesla is, and don't have physical access
> to tesla.
> If I use my 1.5_ALPHA machine to connec to tesla, all is well. I get a
> password prompt; I answer it; I login.
> If I use 1.5, proper, with OpenSSH, I first get an OTP challenge. Only
> after failing it 3 times does it fall back to a standard password. This
> happens on every login.
And with standart passwd it works ? Then it can be an option of the local
ssh. What does the ssh.conf man page tell about this ?
> > > * I figured that audit-packages would be in /etc/security by now.
> > audit-packages is a package, it's not part of the base system.
> Yes, but I seem to recall that we had things (like ssh-related, or
> skey-related?) in daily/secure/something before. You just check to see if
> the pkg is where it ``should'' be, and if it is, then run it.
skey related. But skey is part of the base system.
> I assumed that there was a good reason to have them all directed to
> root, since that's how it comes out of the box. (sigh)
Hey, it's the only account with a passwd out of the box :)
This assumes someone reads root message on a regular basis. The best way to
do this is to redirect the messages to one or more regular account :)
Manuel Bouyer, LIP6, Universite Paris VI. Manuel.Bouyer@lip6.fr