On 8/23/22 15:15, Jochen Bern wrote:
-- HOTP, which would lack the *single* strictly-(de|in)creasing counter
to be replay safe (snarf response used on a "well worn" appliance,
replay it on one with a "younger" counter, unless we start shipping
appliances with *individual* secrets to boot).
-- TOTP, which *would* be replay safe - if only our appliances weren't
meant to sync against the customers' own NTP servers, so that their time
can trivially be off or downright manipulated.
What I'm looking for is a solution where the appliance would prompt with
a *randomly chosen* challenge, random enough to make it unfeasible to
try and wait for the challenge to repeat, the technician types the
challenge into some device of his own (laptop, if need be), types the
response displayed back into the appliance, and hey, nice camera you
have there making an *entirely useless* recording.
OCRA?
(also one of the OATH standards)
https://www.rfc-editor.org/rfc/rfc6287
Ciao, Michael.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
