netbsd-users: Re: How to enable s/key with sshd on NetBSD-3.0BETA?

Subject: Re: How to enable s/key with sshd on NetBSD-3.0BETA?
To: Cheese Lottery <cheeselottery@gmail.com>
From: Geert Hendrickx <geert.hendrickx@ua.ac.be>
List: netbsd-users
Date: 10/04/2005 08:50:54

On Mon, Oct 03, 2005 at 03:14:25PM -0700, Cheese Lottery wrote:
> I'm using NetBSD-3.0BETA.
> 
> What is required to enable s/key authentication for sshd? The top
> portion of my /etc/pam.d/sshd looks like this:
> 
> # auth
> auth            required        pam_nologin.so  no_warn
> auth            sufficient      pam_skey.so
> auth            sufficient      pam_krb5.so     no_warn try_first_pass
> # pam_ssh has potential security risks.  See pam_ssh(8).
> #auth           sufficient      pam_ssh.so      no_warn try_first_pass
> auth            required        pam_unix.so     no_warn try_first_pass
> 
> In /etc/ssh/sshd_config, ChallengeResponseAuthentication is explictly
> set to yes (the man page states the default is yes). 
> PasswordAuthentication is set to no.
> 
> S/key should work:
> $ skeyinfo
> Your next otp-md4 98 anti74858
> 
> However:
> $ ssh localhost
> socket: Protocol not supported
> Permission denied (publickey,keyboard-interactive).

If you also want to allow regular passwords, all you have to do is enable
s/key (with skeyinit), without modifying any other files.  sshd will first
prompt for your password, and if you just hit enter at that prompt, ask for
a one-time password.  

	Geert