Debian – Ubuntu, S/Key and OPIE
May 31, 2008
Posted by on
Been looking for a simple way to enabling S/Key support in Linux. Once I found out the magical keyboards being OPIE and PAM it became almost trivial to allow ssh-logins using One Time Passwords (OTP).
The following instructions are specifically written to apply on Debian and Ubuntu. On a general note the concept should work on any Linux system using OpenSSH and PAM.
First of all you should install the package opie-server. It will give you the necessary PAM-module and some accompanying tools.
Now edit /etc/pam.d/ssh, remove (comment) the inclusion of common-auth, and add these lines.
auth sufficient pam_unix.so
auth sufficient pam_opie.so
auth required pam_deny.so
If you only want allow OTP-logins; this line will do.
auth required pam_opie.so
Next it’s time to edit /etc/ssh/sshd_config.
That’s it. Restart your sshd and it will be ready to accept OTP-logins. To initialize a user; run opiepasswd (equivivalent of keyinit). Responses are generated using opiekey.
Client-side it’s usually enough to install the package opie-client.