Re: recompile sshd with OPIE?
> freebsd-security@auscert.org.au writes:
> > Can this be achieved within the regular system build process, or must I
> > roll my own?
>
> You need to change src/crypto/openssh/config.h so it says
>
> /* #undef PAM */
> #define SKEY 1
> #define OPIE 1
>
> instead of
>
> #define PAM 1
> /* #undef SKEY */
> /* #undef OPIE */
>
> then rebuild world.
This may sound like a really silly question, but how do I enable it?
After performing the changes above, I installed with:
cd /usr/src/secure/usr.sbin/sshd
make cleandir; make cleandir
make obj && make depend && make all install
There's no man[5] sshd_config entry, but through trial and error I
identified an option that doesn't cause an error: SkeyAuthentication yes
I couldn't get any permutation of OpieAuthentication/UseOPIE/... to work.
However, attempts to connect to the running server with SkeyAuthentication
enabled still gives:
Permission denied (publickey).
This is after creating an opiekey for the user (works for sudo, so is
functional), and with these options enabled (+ defaults where not noted)
in sshd_config:
Port 22
Protocol 2
ListenAddress 10.0.0.1
LogLevel VERBOSE
PermitRootLogin no
StrictModes yes
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
ChallengeResponseAuthentication no
SkeyAuthentication yes
AllowTcpForwarding no
X11Forwarding yes
Banner /etc/issue
Can you point me in the right direction please?
thanks,
-- Joel Hatton --
Security Analyst | Hotline: +61 7 3365 4417
AusCERT - Australia's national CERT | Fax: +61 7 3365 7031
The University of Queensland | WWW: www.auscert.org.au
Qld 4072 Australia | Email: auscert@auscert.org.au
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 4 之 7 篇):