These days, I was sent to do on-site maintenance on one of the Linux based appliances we make. The local admin led me to a rack and pointed to the KVM unit, with the screen showing the appliance's login prompt - no network access for my laptop, no physical access to the appliance (nowhere to be seen), please type your appliance's maintenance password into our hardware. Didn't much like that, and the surveillance camera a foot and a half above the keyboard didn't help any, either.
So now I'm looking for a new (additional), replay-attack-safe authentication method to add to the product. Searched the web for "challenge-response" and "PAM" (so that it'll also work with sshd if needed), and so far, everything remotely acceptable seems to go back to three basic principles:
-- Tokens like Yubikeys, which wouldn't have worked here thanks to no physical access.
-- HOTP, which would lack the *single* strictly-(de|in)creasing counter to be replay safe (snarf response used on a "well worn" appliance, replay it on one with a "younger" counter, unless we start shipping appliances with *individual* secrets to boot).
-- TOTP, which *would* be replay safe - if only our appliances weren't meant to sync against the customers' own NTP servers, so that their time can trivially be off or downright manipulated.
What I'm looking for is a solution where the appliance would prompt with a *randomly chosen* challenge, random enough to make it unfeasible to try and wait for the challenge to repeat, the technician types the challenge into some device of his own (laptop, if need be), types the response displayed back into the appliance, and hey, nice camera you have there making an *entirely useless* recording.
Would anyone here happen to know of such a beast? Thanks in advance, -- Jochen Bern Systemingenieur Binect GmbH
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev