With the changes made for Linux I have verified that Leopard works as well.

This is awesome. I love it. Works great for SSH.

It should perhaps be noted that the following options have to set in /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes
UsePAM yes

Those who don't want to increment the passcode on failed attempts can use this patch. (I just did a diff -u. I think that qualifies.)

--- ppp.c       2007-11-01 10:32:59.000000000 -0600
+++ ppp.c       2007-11-01 10:32:12.000000000 -0600
@@ -339,9 +339,11 @@
 int pppAuthenticate(char *attempt) {
        int rv = 0;
        if (strcmp(getPasscode(currPasscodeNum()), attempt) == 0)
+   {
                rv = 1;
+               incrCurrPasscodeNum();
+   }
 
-       incrCurrPasscodeNum();
        writeState();
        _zero_bytes((unsigned char *)d_passcode, 5);

well, since orsonj put a patch here in comments for tweaking, I guess I'll post my tweak (maybe we need a mods page?):

If you want the passcode to be visible when you're entering it (there's no point hiding it), you can use this patch:

Index: ppp/pam_ppp.c
===================================================================
--- ppp/pam_ppp.c       (revision 53)
+++ ppp/pam_ppp.c       (working copy)
@@ -87,7 +87,7 @@
     struct pam_message message;
     struct pam_message *pmessage = &message;
     struct pam_response *resp = NULL;
-    message.msg_style = PAM_PROMPT_ECHO_OFF;
+    message.msg_style = PAM_PROMPT_ECHO_ON;
        message.msg = currPrompt();

        /* Use conversation function to prompt user for passcode */

I am new to PAM. Got any ideas for UBuntu? I know this is a newbie question. I followed all the instructions.

These are great suggestions for enhancements. I've already implemented the --dontSkip option to pppauth in -r53. If you use it with --key, it will generate a new sequence key and flag it not to skip ahead on failed authentication attempts.

I'll add an option to hide or show the passcode during authentication as well. I probably should consider adding these as options to set when you run ../configure so they get built in at compile time rather than pppauth options.

Any feelings on this?

youmansk235,

Are you seeing a specific error message?

I never get prompted for my ppp key. SSH just prompts me for a password. I feel like I have gone through my sshd_config completely. The .so must not be loading. I do not have a deep enough knowledge of Linux to troubleshoot.

youmansk235, is the ssh password prompt of the form "user@hostname's password:" or "Password:"? If the first, your sshd_config is incorrect (see Michael.Strecke's comment above). If the second, your pam config file is incorrect (see install instructions, it's either /etc/pam.d/ssh or /etc/pam.d/sshd, also check in /etc/pam.conf for any lines starting with "ssh" or "sshd")

I am having problems as well. Most likely in my ssh config or something. As a note, ssh had been working previously, without PAM. When I

ssh localhost

I get

The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (RSA) to the list of known hosts.

I am then prompted for my user password. When I enter the correct password (same as my logon, previous ssh sessions), I get

Permission denied, please try again.

I'm not sure where to look from here. Thanks for any suggestions.

justarandomgeek, I just checked out what you pointed out in your last post. I had the auth required pam_ppp.so in the wrong place. Now, I do not get the warning about authenticity. I do get the password prompt as "user@hostname's password" I re-checked my /etc/pam.d/ssh does seem correct now. there is no mention of ssh or sshd in my /etc/pam.conf

I guess my post wasn't quite clear. If your prompt is "user@hostname's password:" then your pam config is probably correct, but your /etc/ssh/sshd_config is wrong. You should be able to run grep -E "(ChallengeResponseAuthentication|UsePAM)" /etc/ssh/sshd_config and get two lines of output, both ending in yes if the config is correct.

the warning about authenticity is standard ssh behavior, and only occurs once for each host you ssh to (unless you use different names like "localhost" vs. "127.0.0.1").

I'm trying to get this up and running my Fedora 7 box. I compiled, tested, and installed fine, but I'm having issues getting the PAM configuration correct.

This is the /etc/pam.d/sshd file: http://paste.hopto.org/index.php?54

And this is the /etc/pam.d/system-auth file: http://paste.hopto.org/index.php?53

When trying to log in via SSH it never prompts me for my PPP passcode. I did a bit of research (I'm not all the familiar with PAM) and it looked like the "sufficient" tag on pam_unix.so in the system-auth file was the culprit, so I changed it to "required" and tried again. After doing that it just continuously asks me for my password, even if I've entered it correctly.

Any ideas? Thanks!

MagicBobert?: Did you follow step 5 under the linux instructions above? That would be my guess as to whats wrong.

I've switched on PPP version 2 support in -r66. I'll hold off on labeling it ver 0.3 until I get feedback from some beta testers.

Read more here: http://groups.google.com/group/ppp-pam/browse_thread/thread/2b59a735c1324992

codeblur: Yep, my sshd configuration is correct.

justarandomgeek, thanks for the code to check my sshd_config, I get {{hifiguy36@wilt:~$ grep -E "(ChallengeResponseAuthentication?|UsePAM)" /etc/ssh/sshd_config ChallengeResponseAuthentication? yes UsePAM yes UsePAM yes }} I was wondering why it says UsePAM twice. I checked the config again and there was an extra "UsePAM" at the end of the file. I deleted that line and tried ssh localhost again and still got access denied.

Found it. I had to {{{ sudo /etc/init.d/ssh restart

I just get; "login as: root Using keyboard-interactive authentication. Password:" It does not seem to be using the PAM authentication.

youmansk, the key must be generated for the use who wants to log in with it, so you would have to use pppauth --key from root, also, since the password prompt is "Password:" that means that your ssh config is probably right (double check with the grep posted above), and your pam config is not set to require ppp. Make sure that /etc/pam.d/ssh (might be /etc/pam.d/sshd on some systems) has the following line in it somewhere:

auth       required     pam_ppp.so

i have the correct etc/pam.d/ssh # PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and # /etc/security/pam_env.conf. #ky auth required pam_env.so # 1? # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. # ky auth required pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication. @include common-auth

auth required pam_ppp.so

# Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so

# Standard Un*x authorization. @include common-account

# Standard Un*x session setup and teardown. @include common-session

# Print the message of the day upon successful login. session optional pam_motd.so # 1?

# Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # 1?

# Set up user limits from /etc/security/limits.conf. session required pam_limits.so

# Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple

# Standard Un*x password updating. @include common-password

I works now only with ids other than root.

In general, you shouldn't be logging in as root unless it's a device that only has root on it (like a modded Linksys WRT).

Also, when pasting something that is multiple lines (like a config snippet), put it in {{{ and }}} so that it is treated as code instead of wikitext.

Ok, so in attempting to get this working I've completely locked myself out of my Fedora box! :(

The sshd_config is correct, and I was working on the /etc/pam.d/sshd file. I added the pam_ppp.so line in the right place, then went into the included file (common-auth in the instructions, but it's called system-auth on my machine) and noticed that the pam_unix.so line was marked "sufficient", meaning that it would never bother running the ppp PAM module. I changed the pam_unix.so line to "required" and now it just prompts me for my password, telling me it's wrong every time. This happens with every account I try to log in with.

Any ideas?

Let me guess, the next line after that was pam_deny.so?

If you have any accounts with ssh keys, that bypasses pam authentication, other than that, your only way to get back in is to boot a livecd and correct the pam from there.

I would suggest setting system-auth back the way it was and copying the auth lines to ssh, leaving out the pam_deny.so line, then changing the "sufficient" to "required" for pam_unix.so in ssh. Alternately, if you don't mind entering the passcode first, you can simply put the pam_ppp.so line before the include and it will prompt for your passcode before your password.

Geez justarandomgeek, how'd you know? ;)

Yep, that fixed the problem. PPP authentication through SSH is working brilliantly now, thanks!

(Add Fedora 7 to the "it works" list!)

Just setup on Ubuntu 7.10 with no problems at all, thanks.

On Debian Sarge it build and installed no problem. However, when logging in as root via ssh (bad practice, I know. I just turned it off, but still...) it never prompts for a passcode. Also, if I ask for --text, it works fine, but asking for --html just sits there for an indefinitely long time (i just broke out of it and used --text)

ayemossum,

I fixed --html printing under linux in the repository code. I just haven't released it yet as a download. I'm hoping to investigate one more issue with it before I release it.

If you want to get it sooner, go to the Source tab of this site and follow the instructions for getting a copy from the subversion repository.

--Tom

This page is starting to grow quite long from all the comments. I love the interaction and feedback I'm getting here, but I'm afraid it will quickly get out of hand.

I'd like to encourage people to join the discussion group at the URL below to participate and ask questions.

http://groups.google.com/group/ppp-pam

That's also the group where I'll be making any announcements related to ppp-pam.

At some point, I'll start deleting comments from this page that apply to older versions of the software and are no longer relevant.

Thanks --Tom

Tom, when you do start cleaning this up, it might be helpful to move some of the more common problem/solution bits into a troubleshooting page and link to it here.

I have followed the directions to install on Mac OSX Leopard. Compiled and installed with no problems. When I ssh localhost, I can login but it does not offer the ppp prompt. I have double checked everything and I cannot figure out why it's not working. I installed it on my Kubuntu box with no problems.

sjkellam, check /etc/pam.d/common-auth. If it says that pam_unix.so is "sufficient", you'll need to follw the steps I described in the comments here a few days ago.

justarandomgeek, I don't have a /etc/pam.d/common-auth file but I do have the /etc/pam.d/sshd. It did list pam_unix.so as 'sufficient', so I switched it to required and took out the pam-deny.so after it but to no effect. I don't have any accounts set up to use ssh keys. Here is the contents of the sshd file.

# sshd: auth account password session auth required pam_nologin.so auth optional pam_afpmount.so auth sufficient pam_securityserver.so auth required pam_unix.so # auth required pam_deny.so auth required pam_ppp.so account required pam_securityserver.so password required pam_deny.so auth required pam_ppp.so session required pam_launchd.so session optional pam_afpmount.so

Any other ideas? Thanks for your help.

perhaps move auth sufficient pam_securityserver.so to after auth required pam_ppp.so and see if that helps? You should probably change the second auth required pam_ppp.so to session required pam_ppp.so or remove it entirely for testing (it's not required unless you want it to bug you to print new cards and upgrade to pppV2 when tom releases that).

The other thing to check is your sshd_config. a quick check of this can be done by running grep -E "(ChallengeResponseAuthentication|UsePAM)" /etc/ssh/sshd_config, which should output the two lines that the instructions tell you to set (possibly some comments too, depending on how wordy you sshd_config is).

Also, it would help when posting config files to put them in {{{ and }}} so that the wiki formatting doesn't strip newlines :-).

ustarandomgeek, I'm sure this is rather simple but I am just not seeing it. I commented out the auth sufficient pam_securityserver.so. Now it asks a password, then prompts for the passcode, then asks for a password, then asks for a passcode. I am certain that I'm entering the right passcode. I find the pam code a little perplexing. Here is the current sshd with brackets in place. :)

sshd: auth account password session
auth       required       pam_nologin.so
auth       optional       pam_afpmount.so
##auth       sufficient   pam_securityserver.so
auth       required       pam_unix.so
auth       required       pam_ppp.so
auth       required       pam_deny.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_launchd.so
session    optional       pam_afpmount.so

You need to remove (or comment) the auth required pam_ppp.so line. It will always deny access no matter what other modules have decided that you are in fact you.

Also, I don't actually know what pam_securityserver.so IS, so I can't say for sure what needs to be done with it, but I would probably either make it required or move it (and leave it sufficient) to the end of the auth section.

Okay, I just talked to a friend who owns a mac (I don't, so i've been guessing a bit here until now), and decided that one "correct" setting is this (only the auth section here):

auth       required       pam_nologin.so
auth       optional       pam_afpmount.so
auth       sufficient     pam_securityserver.so
auth       required       pam_unix.so
auth       sufficient     pam_ppp.so
auth       required       pam_deny.so

This setting will authenticate you by asking for your password first, then your passcode. If either is incorrect, it will then fall through to pam_deny.

another option, if you want the passcode prompt first is this:

auth       required       pam_nologin.so
auth       optional       pam_afpmount.so
auth       required       pam_ppp.so
auth       sufficient     pam_securityserver.so
auth       sufficient     pam_unix.so
auth       required       pam_deny.so

Ok, when I use the first example above, it appears to use the pam_securityserver.so module and just authenticate me without asking for a passcode:

stephen$ ssh localhost
Password:
Last login: Sat Nov 10 17:18:34 2007

When I comment out the auth sufficient pam_securityserver.so it asks for 3 passcodes then switches to a different prompt and asks for passwords 3 times and rejects all of those.

stephen$ ssh localhost
Password:
Passcode 1A [1]: 
Password:
Passcode 1B [1]: 
Password:
Passcode 1C [1]: 
stephen@localhost's password: 
Permission denied, please try again.
stephen@localhost's password: 
Permission denied, please try again.
stephen@localhost's password: 
Permission denied (publickey,password,keyboard-interactive).

This does not make much sense. Thanks for helping out on this.

if pam_ppp.so is reqiured instead of sufficient then that configureation will fall through to pam_deny, preventing login. After three failed attempts to login with PAM, sshd will switch over to using it's own password prompt ("user@host's password:") which will ALWALYS fail if ppp is set up.

also, the fact that it reaches asking for you password at all indicates that pam_securityserver.so is not doing anything at all in this particular case (pam_unix.so asks for your password), so it should probably be left alone

perhaps commenting out pam_deny and making pam_ppp required will be more straightforward for the first config described above, which seems to be the one you've chosen.

Tried those changes and still not working. I don't like to give up, but I guess this one is beyond me. Thanks.

Well, unfortunately, as I Don't have a mac to test on, I'm also going to have to give up on this one. Sorry :-(

sjkellam:

I just reread toms mac osx instructions above and it said to put in pam_ppp.so above pam_securityserver.so. Look at step 6 for reference maybe that will do it.

sjkellam:

Fortunately, I do have a Mac. :)

On a 10.4 system (from what I've seen, the 10.5 configuration is identical), assuming nothing else has changed, your /etc/pam.d/sshd file should look like:

# login: auth account password session
auth       required       pam_nologin.so
auth       optional       pam_afpmount.so
auth       required       pam_ppp.so
auth       sufficient     pam_securityserver.so
auth       sufficient     pam_unix.so
auth       required       pam_deny.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
session    optional       pam_afpmount.so

When you log in via ssh, you will first be asked for your password and then regardless of what you type, the ppp token. If both are correct, your connection will succeed. The instructions are a little vague on this point, but if you look at the example session screenshot on the project home page, you'll see that this is the correct behavior if the instructions are followed.

By default, out of the box, the /etc/sshd_config doesn't need to be changed, since both the UsePAM and ChallengeResponseAuthentication options default to yes.

Also, for those who have been saying that both the /etc/pam.conf and /etc/pam.d/sshd files need to be edited, it should be noted that, in general, if the pam.d directory exists, pam.conf is ignored. FYI.

jtkono, Thanks. that worked. :)

I may make a suggestion for the install instructions. There are two lines wih pam_security server on my installation. one with auth and one with account. I initially put the 'auth required pam_ppp.so' above the 'account required pam_securityserver.so' instead of the 'auth required pam_securityserver.so'. The instructions read 'Enter the following line just above the line with pam_securityserver.so' which was ambiguous in my case and as I know next to nothing (but more now) about pam authentication. thanks for the help.

jtkono, while it is true that pam.conf is probably ignored, it never hurts to check does it? :-)

Also, I'm confused as to why putting pam_ppp.so first still has a password prompt before a passcode prompt. Shouldn't they happen in the order they're specified? Is this a quirk of OSX's PAM? (just tried on my gentoo, and putting pam_ppp.so first there causes the passcode prompt first)

justarandomgeek said:

while it is true that pam.conf is probably ignored, it never hurts to check does it? :-)

No, I suppose it doesn't hurt to check, but it can lead to confusion as people begin making changes to pam.conf and wonder why it doesn't work. :)

The question of the stack order had me puzzled as well. After a bit of experimenting, it looks like the password is being requested by the auth optional pam_afpmount.so module. If the pam_ppp.so rule is moved above it (thus):

# login: auth account password session
auth       required       pam_nologin.so
auth       required       pam_ppp.so
auth       optional       pam_afpmount.so
auth       sufficient     pam_securityserver.so
auth       sufficient     pam_unix.so
auth       required       pam_deny.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
session    optional       pam_afpmount.so

The result is the expected ppp/password ordering. Not that it buys you much, since it still asks for both regardless of whether or not the correct ppp token is provided -- which is actually a good thing. (Why give the black hats unnecessary clues?)

Also, it is very, very bad to mess with the pam_securityserver.so rule since that module ties the Linux-PAM system to the Mac OS Security Services / Directory Services infrastructure. If it's removed, PAM loses access to the system account information for the sshd service and remote access via ssh basically goes away.

The pam_unix.so module provides the expected authentication services via the standard *nix files (/etc/passwd, /etc/shadow, and so forth). Since locally-created users generally aren't included in these files, its utility is limited.

Ah, thanks for explaining that. I'm working with all linux over here (one gentoo, one debian), so for me, pam_unix does the password portion of auth and pam_securityserver doesn't exist at all. My one remaining question now, is this: If pam_afpmount is the one prompting for you password (which it appears to be), why is it optional?

I agree that prompting for passcode first doesn't buy much, it ALWAYS helps to know more about what's going on.

Also, so that we don't clutter up this page any more, perhaps we should move this discussion (if it continues) to the group? (Tom: Sorry for making this page a mile long :-)

I've tested and packaged this for Foresight and rPath Linux. You can install it with 'conary update ppp-pam=sanitarium.rpath.org'. Although you will still have to edit your pam config files. I can work on an RPM if anyone is interested.

I'm using ubuntu 7.10 on x86-64 bit and I get this error compiling:

gcc -g -O2 -o pam_ppp.so -shared pam_ppp_so-pam_ppp.o pam_ppp_so-keyfiles.o pam_ppp_so-ppp.o pam_ppp_so-rijndael.o pam_ppp_so-sha2.o pam_ppp_so-dummy.o pam_ppp_so-mpi.o pam_ppp_so-mpprime.o -lc -lpam -luuid /usr/bin/ld: pam_ppp_so-pam_ppp.o: relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC pam_ppp_so-pam_ppp.o: could not read symbols: Bad value collect2: ld returned 1 exit status make: [pam_ppp.so] Error 1

I've done some googleing but I haven't found any specific resolution for this. Where would I add the -fPIC flag? In the Makefile?

Thanks for the help - This compiles fine on my Macbook.

Hi all,

First of all this is just great!!! I have a Mac and FBSD environment and i would like this pam module to build on FreeBSD has any one tried it?

I am getting this error in the make step:

source='./../ppp/print.c' object='pppauth-print.o' libtool=no  depfile='.deps/pppauth-print.Po' tmpdepfile='.deps/pppauth-print.TPo'  depmode=gcc3 /usr/local/bin/bash ../depcomp  gcc -DPACKAGE_NAME=\"pppauth\" -DPACKAGE_TARNAME=\"pppauth\" -DPACKAGE_VERSION=\"0.2\" -DPACKAGE_STRING=\"pppauth\ 0.2\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"pppauth\" -DVERSION=\"0.2\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DHAVE_SECURITY_PAM_MODULES_H=1 -I. -I..    -I./../rijndael -I./../sha2 -I./../mpi  -Wall -O3 -funsigned-char -g -O2 -c -o pppauth-print.o `test -f './../ppp/print.c' || echo '../'`./../ppp/print.c
source='./../ppp/http.c' object='pppauth-http.o' libtool=no  depfile='.deps/pppauth-http.Po' tmpdepfile='.deps/pppauth-http.TPo'  depmode=gcc3 /usr/local/bin/bash ../depcomp  gcc -DPACKAGE_NAME=\"pppauth\" -DPACKAGE_TARNAME=\"pppauth\" -DPACKAGE_VERSION=\"0.2\" -DPACKAGE_STRING=\"pppauth\ 0.2\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"pppauth\" -DVERSION=\"0.2\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DHAVE_SECURITY_PAM_MODULES_H=1 -I. -I..    -I./../rijndael -I./../sha2 -I./../mpi  -Wall -O3 -funsigned-char -g -O2 -c -o pppauth-http.o `test -f './../ppp/http.c' || echo '../'`./../ppp/http.c
./../ppp/http.c: In function `httpServe':
./../ppp/http.c:259: error: storage size of 'sin' isn't known
./../ppp/http.c:265: error: `INADDR_ANY' undeclared (first use in this function)
./../ppp/http.c:265: error: (Each undeclared identifier is reported only once
./../ppp/http.c:265: error: for each function it appears in.)
./../ppp/http.c:259: warning: unused variable `sin'
*** Error code 1

Stop in /home/users/esn/src/ppp-pam/build.

Thanks in advance for any help.

Hello,

Has anyone tried integrating to the VSFTP PAM module? I tried to add the PAM settings for ssh to the vsftpd file but it doesn't seem to prompt for the one-time password. Any thoughts? Anyone else interested in using this for FTP authentication? It seems like a good fit, especially since FTP is clear text by default.

Thanks.

So I have solved my problem it seems there was nothing wrong with my install but something different between the v0.2 and SVN r76 as the SVN build installed just fine and works perfectly.

Thank you for this work it great!!

timm

Hello

I think the idea of PPP is great so I wanted to test it on my VMware - Debain Etch 64bit box, thinking that it works on Ubuntu so Debian should be no problem but.....

Here is some back ground...

debian-vmware:/home/timm/ppp-pam/build# apt-get install subversion make gcc g++ libc6-dev uuid-dev libpam0g-dev openssh-server Reading package lists... Done Building dependency tree... Done subversion is already the newest version. make is already the newest version. gcc is already the newest version. g++ is already the newest version. libc6-dev is already the newest version. uuid-dev is already the newest version. libpam0g-dev is already the newest version. openssh-server is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded. So as far as I am aware this is the dependancys delt with??

timm@debian-vmware:~/ppp-pam/build$ ../configure configure: creating ./config.status config.status: creating Makefile config.status: executing depfiles commands timm@debian-vmware:~/ppp-pam/build$ and configure seems to exit with out any errors but....

timm@debian-vmware:~/ppp-pam/build$ make /bin/sh ./libtool --mode=link gcc -g -O2 -o pam_ppp.so -shared -lc -lpam -luuid pam_ppp_so-pam_ppp.o pam_ppp_so-keyfiles.o pam_ppp_so-ppp.o pam_ppp_so-rijndael.o pam_ppp_so-sha2.o pam_ppp_so-dummy.o pam_ppp_so-mpi.o pam_ppp_so-mpprime.o mkdir .libs gcc -g -O2 -o pam_ppp.so -shared pam_ppp_so-pam_ppp.o pam_ppp_so-keyfiles.o pam_ppp_so-ppp.o pam_ppp_so-rijndael.o pam_ppp_so-sha2.o pam_ppp_so-dummy.o pam_ppp_so-mpi.o pam_ppp_so-mpprime.o -lc -lpam -luuid /usr/bin/ld: pam_ppp_so-pam_ppp.o: relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC pam_ppp_so-pam_ppp.o: could not read symbols: Bad value collect2: ld returned 1 exit status make: [pam_ppp.so] Error 1 timm@debian-vmware:~/ppp-pam/build$ any help would be great thank you. Thank you in advanced.

timm

Just curious, where is the key? I know the file private_key exists, but the sequence there isn't 64 characters and it isn't hex. I took the odd string in there and ran it through base64 decode and then output that in hex but that didn't work (at least not with the cell phone client I got here: http://www.jgc.org/blog/2007/11/pppv2-in-java-and-c.html).

I'm looking for the sequence key that I can plug into other PPP implementations. Any suggestions? Any way to ask pppauth for that directly?!? I'm I missing something?

Thanks.

Just to clarify what I meant by "didn't work". I get a 64 character hex sequence (base64 -> ASCII -> HEX) but it doesn't generate the right passcodes.

Update: I hacked the pppauth code to print out the sequence key as hex. Here is what I did, but I'll point out that it still didn't work with the cell phone client or with the GRC PPP page passcard generator (although the Java client and GRC were in agreement). Maybe somebody can see what is wrong with this...

Index: keyfiles.c

--- keyfiles.c (revision 76) +++ keyfiles.c (working copy) @@ -359,7 +359,12 @@

pppSetFlags(ppp_flags(buf)); / load flags / read_data(buf, &num); setSeqKey(&num);

+ printf("SEQKEY = %s\n", buf); +

fp = fopen(cnt_file_name(), "r"); if ( ! fp)

return 0;

OK, I found out the problem...I'm a stubborn idiot. I kept hammering at this when the answer was right there in front of me! :-) The solution is to turn on "--verbose" and everything I needed was right there! Sorry to waste everybody's time. :-(

The --dontSkip flag should come in real handy, to solve the denial-of-service attack where an attacker can advance the passcodes too far, locking you out until you print new ones.

However, it adds another problem in that if my current code gets destroyed, by e.g. a drop of ink, I can't advance to the next passcode on the paper and log in. How do you solve this?

Could you make the system advance to the next passcode only after 6 failed attempts (requiring two entire logins since sshd shuts down the connection after 3 wrong login attempts)?

@avocade, what about having some special flag for unreadable codes such as "skip" that increments to the next code even if --dontSkip was used when the key was created? probably don't want a standardized string though, because then attackers would just use that all the time to push you off the end of your printed cards.

Or what about trading a (minuscule) bit of strength against brute force attack and allowing any of the next 2-5 codes to login? (would probably be a PITA to implement though...) This still doesn't help when an entire card is destroyed or lost though, so you'd probably still want something there.

Working today on 10.5.1. One note, using text edit, even with sudo, won't allow you to save to /etc. Use sudo nano or sudo vi instead.

If you have trouble compiling on Ubuntu x86-64, try adding -fPIC to the pam_ppp_so_CFLAGS line of the makefile. It's working great on my Ubuntu 7.10 x86-64 install.

can we add a guide for cygwin please? I am dieing to use this.

still works great in Leopard 10.5.2 on a new MacBook? Pro.

syepes,

I am having the same problems you are.

Anyone getting this to work on FreeBSD?

If you're getting the "recompile with -fPIC" error, it's because configre is doing it wrong. DavidSHewitt mentions the solution above, just make sure you do the edit before you run make for the first time, it won't work (for me) after that.

If you've already tried to compile, run make distclean, and then rerun ../configure BEFORE doing this.

I'd submit a bug report but it hasn't been updated in ages.

Note that you might also have to cp pam_ppp.so /lib64/security/pam_ppp.so depending.

Just a comment, if you're deadset on eliminating all avenues of internet-based attacks, I found that you can su into any protected accounts w/o having to invoke the PPP module, so I eliminated the ability to use su from any non-admin accounts.

Successfully able to configure it on OpenSuse? 11.1, here is the instructions ..

http://linuxpoison.blogspot.com/2009/04/perfect-paper-passwords-one-time.html

To compile on Mac OS X 10.6 Snow Leopard, I had to find the pam_macros.h file in the 10.5 frameworks. I changed pam_ppp.c to from

#include <security/pam_macros.h>

to

#include "/Developer/SDKs/MacOSX10.5.sdk/usr/include/pam/pam_macros.h"

I posted notes here: http://iharder.freepgs.com/2009/09/02/ppp-two-factor-authentication-in-snow-leopard-ssh-with-perfect-paper-passwords/

-Rob

A couple of important notes

Do not forget to restart your sshd service after fiddling with /etc/pam.d/sshd or /etc/pam.conf. Otherwise you may spend hours wondering why it does not work! The code that is available as a tar file is an older version than that available off the svn source code tree. In particular, I noticed that the tar'd code does not properly display nice password pages on Linux with the --html option. This was later worked around in the version on svn. The more recent news on pam_ppp is in the Google group mentioned above.

I hope that helps somebody avoid spending hours debugging something that actually works or is outdated.

-FrugalGuy?

ebuild with which I built in on Gentoo: http://temp.thera.be/ppp-pam/ppp-pam-0.2.ebuild

0.2 version won't work with user homes outside /home.

Just to update previous comment... I kind of forked ppp-pam, as I can't contact author for now. http://thera.be/my_public/my_projects/ppp-pam.git/ that's git repos, http://thera.be/my_public/my_projects/ppp-pam/ here are sources and ebuilds. On issues there's description of some fixed problems and git log can reveal the rest.

Hi, I am using ppp_pam, it working fine in CentOS(5.5). But there is no option to generate keys from root or sudoers for any other user. Only user it self generate the keys for itself. Can you please add this as a feature request?

Thanks & Regards, Rahul Panwar

Hello All..

Ive just tested Centos 6, it seems to work only if i include the pam_ppp.so before the "common-auth"

Is this justifyable ??? Shouldnt the prompt for 1 time password occur after the initial succesful login???

Furthermore, this doesnt seem to work when using a SSH key ... :( I would have liked to see the request for a 1 time password, whilst using a SSH Key

Regards David

The ppp-pam google group is unusable due to spam. If you are the moderator please moderate first time posts. This fixes the problem.

If I don't get a reply here within a month I will create a new group that I can moderate.

--- Now my question: How do we reorder

auth include system-remote-login auth sufficient pam_ppp.so account include system-remote-login password include system-remote-login session include system-remote-login

so that there's no need to input the main password as well, so we have the otp first and then if that fails fall back to usual auth. Otherwise the keyloggers can still log