I've set up a nice secondary authentication mechanism on a Linux server.
I use this when I must shell in from, e.g., a computer lab, and I don't
have an authorized SSH private key on my workstation. To login without
a private key, I must:
1) Enter my account's current S/Key one-time password
and
2) Enter my Unix password
in sequence. Importantly, if I enter the correct S/Key password but
then an incorrect Unix password, I must proceed to supply the *next*
S/Key password before I can try entering the Unix password again. This
means that even if someone knows my current one-time password, he can
use it to take only a single shot at guessing my Unix password; the
overall strength of the authentication scheme is essentially the product
of my Unix password's and S/Key's strength.
With PAM, I achieve this by putting the following in /etc/pam.d/ssh:
auth requisite pam_opie.so
auth required pam_unix.so
(OPIE is an S/Key implementation on Linux.)
Now I'd like to set up the same scheme on my OpenBSD machines. But how?
I don't mind implementing my own BSD Auth mechanism, if I must, in order
to obtain the desired logic, but even then I don't know how I would
configure sshd to use it exclusively without changing the behavior of
console logins as well: As far as I can tell, login.conf doesn't let
one specify SSH-specific rules like it does for FTP (there's no
auth-ssh-defaults hiding somewhere, is there?), and I can't find
anything pertinent in the OpenSSH documentation either.
Simply logging in with "username:skey_and_passwd" (where
login_skey_and_passwd is my hypothetical BSD Auth mechanism) wouldn't
suffice, because my goal is to require authenticating with both factors,
not to make it optional; but disabling password logins across the board
by setting auth-defaults won't do it either, because I still want to
authenticate with just my password when I login from the console.
So, any thoughts? Thanks in advance!
--
Mark Shroyer
http://markshroyer.com/contact/
