RSS / Atom

PAM, Linux and SSH

2003-07-10 , ,

I’ll be on vacation later this summer and will want to get to my home
systems to check email, upload pictures and the like but I don’t want to
drag my laptop around with me (which also means carrying around an
international power converter suitable for extended use and they’re bulky).
My idea was to use whatever unsecured or public access terminal I can find
and SSH. Fine, except that I already don’t trust the host so I don’t want to
put my public key on it meaning I have to use password authentication. But
using SSH this way means typing my reusable password and I already don’t
trust the host I’m logging in from. Solution? Use a One-Time Password (otp)
authentication system. Read the man pages and I had it set up in about sixty
seconds on my *BSD systems. Works great! I can print out a list of single
use passwords and keep it in my wallet or load an OTP client on my palm
pilot and generate them on the fly. Cool. My Linux host, however, is a
different story. Seems that PAM, the pluggable authentication module system,
SSH and challenge/response authentication don’t work together and haven’t
since at least mid-2002. First, Privilege Separation doesn’t work if PAM is
used. Annoying, since dropping root privs by the SSH daemon is a good idea.
There is no generally working exploit (yet) against a patched non-PrivSep
sshd but I’d rather not find out the hard way when it emerges. Second, you
can only use one of challenge/response or password but not both unless you
intend to use both together, i.e. you first authenticate with a otp and then
with the reusable password. That sucks. I might use OTP with SSH to get to
one of the OpenBSD hosts and put a public key to an account on the
firewalled Linux box (and install keys to jump to the others, so I don’t
expose passwords) but that stinks of creating a new security hole. I might
just disable password authentication to the Linux box and only use OTP for
the duration of my trip.


Commenting is closed for this article.