auth sufficient pam_opie.so |
auth required pam_env.so |
auth
required
pam_env.so auth sufficient pam_opie.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so |
ChallengeResponseAuthentication yes |
auth required pam_sepermit.so #auth substack password-auth auth sufficient pam_opie.so auth required pam_deny.so auth substack pam_opie.so auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin |
auth
sufficient
pam_opie.so
no_warn no_fake_prompts account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke |
~$ ssh localhost user@localhost's password: Permission denied, please try again. ~$ su - ~# grep type=AVC /var/log/audit/audit.log|grep sshd|awk 'NR == 1 {print;}'| audit2allow -M opiek ~# semodule -i opiek.pp |
~> ssh
tux.seveur.org otp-md5 490 oc1012 ext Response: | ~>
opiekey 490
oc1012 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: ROSE GAM BONA SITS NO BAIT |