Secure Shell
Re: Unix (pam) authorization with required public key Aug 31 2010 10:17PM
?л?я Ско?ик (ilya skorik me) (2 replies)
Re: Unix (pam) authorization with required public key Sep 01 2010 07:36PM
Florian Gleixner (flo redflo de)
Re: Unix (pam) authorization with required public key Aug 31 2010 11:35PM
Robert Hajime Lanning (robert lanning gmail com) (3 replies)
Re: Unix (pam) authorization with required public key Sep 01 2010 10:20AM
Filip FÄ?fara (tazzek tasak org)
Re: Unix (pam) authorization with required public key Sep 01 2010 07:46AM
Aris Adamantiadis (aris adamantiadis belnet be)
Re: Unix (pam) authorization with required public key Sep 01 2010 01:06AM
Dan Mahoney, System Admin (danm prime gushi org)
On Tue, 31 Aug 2010, Robert Hajime Lanning wrote:

> ssh is not written to do that.
>
> It authorizes on first successful authentication.
>
> The closest thing you can do is distribute PKCS#11 compatible hardware
> tokens and configure the ssh client to use the key from there.
>
> This will implement two factor authentication.
> 1) the token (the key never leaves the token)
> 2) password authentication to the token to unlock access to use the key.

Actually, the answer you're looking for is called "securID", or other
similar products like cryptocards or tokens by Vasco or securecomputing.

Specifically, the "RSA way" is you concatenate the token code with your
password, so your password is foobarNNNNNN, and the radius/pam server
knows to do a "split" on that point, and compare the values separately.

It is also possible to do full on challenge-response authentication, in
the classic "you type the challenge into your token, and the token gives
you a response" method.

You can use this, for example, with OPIE (also known as s/key), which has
the advantage of blocking replay attacks (passwords are discarded on use),
and being usable over unencrypted channels.

And yes, you could work this with LDAP, but it's nontrivial and probably
requires some custom PAM programming to chain the functionality together.

I have not seen a free, off-the-shelf product that does this.

-Dan

--

"SOY BOMB!"

-The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan
Performance.

--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus