configuring pam for openssh

From: Greg Norris <haphazard(at)kc.rr.com>
Date: Fri Feb 21 2003 - 23:12:15 EST

I occasionally have a need to connect to my home machine (Debian Linux, openssh 3.5p1-4) from untrusted systems, so I'm trying to configure openssh to use one-time passwords via libpam-opie. I started by commenting out the auth entry for pam_unix.so in /etc/pam.d/ssh, and adding one for pam_opie.so in it's place. So far so good... the keyboard-interactive method seems to work with opie, and it doesn't fall back normal password authentication.

During the course of testing, I noticed that the change had broken the built-in password authentication ("PasswordAuthentication yes" in sshd_config). Can anyone explain why this occurs? My (obviously flawed ;-) understanding was that openssh only uses the pam auth modules for keyboard-interactive. I've gone through the pam documentation and done some googling, but the answer remains elusive...

This isn't a huge problem, as I'm most likely going to disable password authentication anyway. But I'd really like to understand what's occurring.

Thanx!

• </etc/pam.d/ssh> ----- auth required pam_nologin.so auth required pam_env.so # [1] auth required pam_opie.so #auth required pam_unix.so auth required pam_deny.so

account required pam_unix.so

session    required     pam_unix.so
session    optional     pam_motd.so # [1]
session    optional     pam_mail.so standard noenv # [1]
session    required     pam_limits.so

password   required     pam_unix.so obscure min=8 md5

----- <end /etc/pam.d/ssh> ----- Received on Mon Feb 24 15:14:21 2003