On Tue, 23 Aug 2022 at 23:23, Jochen Bern <Jochen.Bern@xxxxxxxxx> wrote: [...] > So now I'm looking for a new (additional), replay-attack-safe > authentication method to add to the product. This sounds like S/Key[0] or OPIE[1]. There are PAM modules available for at least OPIE, and (to drag this moderately back on topic), those should work with sshd's ChallengeResponseAuthentication. If you're worried about the compromise of an appliance disclosing a fleet-wide shared secret you could make a per-device shared secret by hashing a fleetwide secret with a per-appliance identifier before storing it on the appliance. In the field you would hash(secret|deviceid) to derive the per-device secret, then feed it and the challenge from the device into opiekey to compute the one time password. [0] https://en.wikipedia.org/wiki/S/KEY [1] https://en.wikipedia.org/wiki/OPIE_Authentication_System -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
