Re: Looking for Special Challenge-Response Auth PAM Module, or Similar

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


On 23/08/2022 14:15, Jochen Bern wrote:
What I'm looking for is a solution where the appliance would prompt with a *randomly chosen* challenge, random enough to make it unfeasible to try and wait for the challenge to repeat, the technician types the challenge into some device of his own (laptop, if need be), types the response displayed back into the appliance, and hey, nice camera you have there making an *entirely useless* recording.

Would anyone here happen to know of such a beast?

You mean something like SCRAM implemented as a PAM module?  I can't think of one off hand, but there's always pam_exec which is pretty easy to plug into.

It might be possible to use pam_sasl <> together with a SASL challenge-response auth method <> like SCRAM.

You mentioned Yubikeys.  Depending on the flavour of key, they implement a range of different auth methods, some of which are suitable for keyboard use; that is, you don't need to plug them directly into the target system.

You've already ruled out Yubi OTP mode and HOTP mode, but there is also a HMAC-SHA1 type of challenge-response.  I found two modules: the official module <> and Both are stateful to avoid storing the secret in cleartext on the server, so may suffer from the same replay attacks you discussed - but I haven't investigated in detail.  It might be possible to use the same secret on all targets, but seed them with different challenges.

Aside: I did once play with a PAM module which allows manual U2F challenge/response over ssh keyboard-interactive authentication. What happened was, you'd connect via ssh and it would spit out a long challenge. You paste this into a local client app, and press the button on your U2F key.  The client spits out a long response, and you paste it back into the ssh session.  Bingo.

It did actually work - but unfortunately the strings were way too long to be practical over a KVM without copy-paste.

Ah yes... even documented it on github :-)


openssh-unix-dev mailing list

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux