On 23/08/2022 14:15, Jochen Bern wrote:
What I'm looking for is a solution where the appliance would prompt
with a *randomly chosen* challenge, random enough to make it
unfeasible to try and wait for the challenge to repeat, the technician
types the challenge into some device of his own (laptop, if need be),
types the response displayed back into the appliance, and hey, nice
camera you have there making an *entirely useless* recording.
Would anyone here happen to know of such a beast?
You mean something like SCRAM implemented as a PAM module? I can't
think of one off hand, but there's always pam_exec which is pretty easy
to plug into.
It might be possible to use pam_sasl
<http://www1.maths.leeds.ac.uk/~pmtvlm/pam-sasl.html> together with a
SASL challenge-response auth method
You mentioned Yubikeys. Depending on the flavour of key, they implement
a range of different auth methods, some of which are suitable for
keyboard use; that is, you don't need to plug them directly into the
You've already ruled out Yubi OTP mode and HOTP mode, but there is also
a HMAC-SHA1 type of challenge-response. I found two modules: the
and http://www.average.org/chal-resp-auth/. Both are stateful to avoid
storing the secret in cleartext on the server, so may suffer from the
same replay attacks you discussed - but I haven't investigated in
detail. It might be possible to use the same secret on all targets, but
seed them with different challenges.
Aside: I did once play with a PAM module which allows manual U2F
challenge/response over ssh keyboard-interactive authentication. What
happened was, you'd connect via ssh and it would spit out a long
challenge. You paste this into a local client app, and press the button
on your U2F key. The client spits out a long response, and you paste it
back into the ssh session. Bingo.
It did actually work - but unfortunately the strings were way too long
to be practical over a KVM without copy-paste.
Ah yes... even documented it on github :-)
openssh-unix-dev mailing list