Re: BSD Authentication, SKEY and telnetd/ftpd/anything(?) ..

["Benjamin Kelly" <bgk@ijneb.com>]

Ben,

Brilliant thanks!  Another case of RTFM :) ;

<excuse>although in this case the manual could be worded more clearly!
</excuse>

Somewhere, there should be a complete, but brief overview of the BSD
authentication mechanism.  (note mechanism, not "mechanism style" !)

For the benefit of the group, in summary, to use SKEY on your default
>=3.0 install .... 

"OpenBSD/i386 (your-host-here) (ttyp0)

Login: USERNAME:SKEY
otp-md5 xx yyyyyy
S/Key Password:"

And in general to use authentication mechanism X login with:
"username:X".

Thanks again,

-BK

-----Original Message-----
From: Ben Hooper [mailto:ben.hooper@diskcopy.com.au] 
Sent: 08 February 2002 19:22
To: 'Benjamin Kelly'
Cc: misc@openbsd.org
Subject: RE: BSD Authentication, SKEY and telnetd/ftpd/anything(?) ..

> This is fine - BUT - it forces default (telnet) to use SKEY 
> (which isn't
> necessarily a bad thing); 
 
> I'd like to (as with the krb-or-pwd) to try mechanism X and then
> mechanism Y.  What is the point in allowing a list of 
> mechanisms if only
> the first is used?

Ok. I think understand now. I took "multiple" to mean "different" in
your first post.

>From the login man page...

"To specify the alternate authentication mechanism style, the string
:style is appended to the user name (i.e., user:style)."

So if skey is an allowed authentication style in your login.conf, you
could have the default set to passwd, but login using skey by appending
:skey to the username.

I am not sure if you can try _all_ the listed authentication styles
automatically (without specifying the :style), which is what I think you
are after. Maybe someone more enlightened can answer this. In the mean
time I'll wander through the man pages (I'm quite curious myself).


Regards,

Ben.