Been looking for a simple way to enabling S/Key support in Linux. Once I found out the magical keyboards being OPIE and PAM it became almost trivial to allow ssh-logins using One Time Passwords (OTP).
The following instructions are specifically written to apply on Debian and Ubuntu. On a general note the concept should work on any Linux system using OpenSSH and PAM.
First of all you should install the package opie-server. It will give you the necessary PAM-module and some accompanying tools.
Now edit /etc/pam.d/ssh, remove (comment) the inclusion of common-auth, and add these lines.
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so
If you only want allow OTP-logins; this line will do.
auth required pam_opie.so
Next it’s time to edit /etc/ssh/sshd_config.
ChallengeResponseAuthentication yes
That’s it. Restart your sshd and it will be ready to accept OTP-logins. To initialize a user; run opiepasswd (equivivalent of keyinit). Responses are generated using opiekey.
Client-side it’s usually enough to install the package opie-client.
About this time next month I’ll be at USENIX ’08. It will be my first real conference. I got the news today. I’m really excited about it.
Manually removing entries from your known_hosts doesn’t take my of an effort. Still, it’s something you can grow tired of. Especially so after resent events (DSA-1571). That is why I’ve now written my very own line_removal.pl script.
Basically you feed the script one or more line numbers. Corresponding lines in your ~/.ssh/known_hosts will then be deleted.
andreas@leto:~$ ./line_removal.pl 22
Removing line #22 from /home/andreas/.ssh/known_hostsandreas@leto:~$ ./line_removal.pl 3 37 29
Removing line #37 from /home/andreas/.ssh/known_hosts
Removing line #29 from /home/andreas/.ssh/known_hosts
Removing line #3 from /home/andreas/.ssh/known_hosts
To be honest I really don’t know if I’ll ever use this script against more than one line at a time. Somehow it still seemed wrong not to support the option of feeding it multiple arguments.
Today I got my order from the xkcd store. Among other things it included a t-shirt based on xkcd #208. It says:
/ Everybody stand back /
I know regular expressions
Of course, there is always the question when I’ll actually be able to wear it. Considering some of the colleagues I have it’s probably a good idea if I spend some quality time with my copy of Mastering Regular Expressions (O’Reilly) before I bring the t-shirt to work.
