Use OPIE without PAM

Matt Johnston matt at ucc.asn.au
Tue Jul 31 21:01:01 WST 2007


On Thu, Jul 26, 2007 at 07:05:07PM +0200, Alexander Kriegisch wrote:
> I am looking for a cheap way of using OPIE (One-time Passwords In
> Everything) with dropbear on my WLAN/DSL router (mipsel platform). That
> is, I would like to use it without PAM (Pluggable Authentication
> Modules) but rather by delegating user/pw login to opielogin. It works
> like this with my BusyBox telnetd. Neither am I a Dropbear expert nor do
> I know how user/pw authentication is done in dropbear - obviously not by
> delegating to /bin/login. Can anybody provide a patch for Dropbear so it
> uses opielogin directly? Getting PAM up and running on my box is harder
> than I thought because of issues which would be off-topic here, and
> saving flash and RAM space is also important, so I would prefer a cheap
> solution.

The problem I see with opielogin is that it doesn't let
Dropbear know whether auth has succeeded or not. The only
real way of using opielogin is to make SSH's own
authentication allow any valid user to log in with any (or
no) password, then run opielogin for a shell. TCP/agent/X11
forwarding wouldn't be possible either. I'm kind of wary of
this solution since it doesn't seem that secure.

It might be better to use libopie to handle authentication,
then run a shell as normal. I couldn't find any docs on
libopie though - is it still maintained?

It's a shame there isn't a nice lightweight network auth
solution for Unixes - PAM is kind of crufty and ill-suited.

Matt


More information about the Dropbear mailing list