PAM, Linux and SSH
Jul 10, 2003
I’ll be on vacation later this summer and will want to get to my homensystems to check email, upload pictures and the like but I don’t want tondrag my laptop around with me (which also means carrying around anninternational power converter suitable for extended use and they’re bulky).nMy idea was to use whatever unsecured or public access terminal I can findnand SSH. Fine, except that I already don’t trust the host so I don’t want tonput my public key on it meaning I have to use password authentication. Butnusing SSH this way means typing my reusable password and I already don’tntrust the host I’m logging in from. Solution? Use a One-Time Password (otp)nauthentication system. Read the man pages and I had it set up in about sixtynseconds on my *BSD systems. Works great! I can print out a list of singlenuse passwords and keep it in my wallet or load an OTP client on my palmnpilot and generate them on the fly. Cool. My Linux host, however, is andifferent story. Seems that PAM, the pluggable authentication module system,nSSH and challenge/response authentication don’t work together and haven’tnsince at least mid-2002. First, Privilege Separation doesn’t work if PAM isnused. Annoying, since dropping root privs by the SSH daemon is a good idea.nThere is no generally working exploit (yet) against a patched non-PrivSepnsshd but I’d rather not find out the hard way when it emerges. Second, youncan only use one of challenge/response or password but not both unless younintend to use both together, i.e. you first authenticate with a otp and thennwith the reusable password. That sucks. I might use OTP with SSH to get tonone of the OpenBSD hosts and put a public key to an account on thenfirewalled Linux box (and install keys to jump to the others, so I don’tnexpose passwords) but that stinks of creating a new security hole. I mightnjust disable password authentication to the Linux box and only use OTP fornthe duration of my trip.