Re: Looking for Special Challenge-Response Auth PAM Module, or Similar

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 23/08/2022 14:15, Jochen Bern wrote:
What I'm looking for is a solution where the appliance would prompt with a *randomly chosen* challenge, random enough to make it unfeasible to try and wait for the challenge to repeat, the technician types the challenge into some device of his own (laptop, if need be), types the response displayed back into the appliance, and hey, nice camera you have there making an *entirely useless* recording.
Would anyone here happen to know of such a beast? 
You mean something like SCRAM implemented as a PAM module?  I can't 
think of one off hand, but there's always pam_exec which is pretty easy 
to plug into.
It might be possible to use pam_sasl 
<http://www1.maths.leeds.ac.uk/~pmtvlm/pam-sasl.html> together with a 
SASL challenge-response auth method 
<https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html> 
like SCRAM.
You mentioned Yubikeys.  Depending on the flavour of key, they implement 
a range of different auth methods, some of which are suitable for 
keyboard use; that is, you don't need to plug them directly into the 
target system.
You've already ruled out Yubi OTP mode and HOTP mode, but there is also 
a HMAC-SHA1 type of challenge-response.  I found two modules: the 
official module 
<https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html> 
and http://www.average.org/chal-resp-auth/. Both are stateful to avoid 
storing the secret in cleartext on the server, so may suffer from the 
same replay attacks you discussed - but I haven't investigated in 
detail.  It might be possible to use the same secret on all targets, but 
seed them with different challenges.
Aside: I did once play with a PAM module which allows manual U2F 
challenge/response over ssh keyboard-interactive authentication. What 
happened was, you'd connect via ssh and it would spit out a long 
challenge. You paste this into a local client app, and press the button 
on your U2F key.  The client spits out a long response, and you paste it 
back into the ssh session.  Bingo.
It did actually work - but unfortunately the strings were way too long 
to be practical over a KVM without copy-paste.
Ah yes... even documented it on github :-)

https://github.com/Yubico/pam-u2f/issues/33#issuecomment-195419924

Cheers,

Brian.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux