Re: Looking for Special Challenge-Response Auth PAM Module, or Similar

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Tue, 23 Aug 2022 at 23:23, Jochen Bern <Jochen.Bern@xxxxxxxxx> wrote:
[...]
> So now I'm looking for a new (additional), replay-attack-safe
> authentication method to add to the product.

This sounds like S/Key[0] or OPIE[1].  There are PAM modules available
for at least OPIE, and (to drag this moderately back on topic), those
should work with sshd's ChallengeResponseAuthentication.

If you're worried about the compromise of an appliance disclosing a
fleet-wide shared secret you could make a per-device shared secret by
hashing a fleetwide secret with a per-appliance identifier before
storing it on the appliance.  In the field you would
hash(secret|deviceid) to derive the per-device secret, then feed it
and the challenge from the device into opiekey to compute the one time
password.

[0] https://en.wikipedia.org/wiki/S/KEY
[1] https://en.wikipedia.org/wiki/OPIE_Authentication_System

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux