On 23/08/2022 22:42, Jochen Bern wrote:
On 23.08.22 16:56, Brian Candler wrote:
You mean something like SCRAM implemented as a PAM module?
Looks promising from the algorithm POV ... !
It might be possible to use pam_sasl [...] together with a SASL
challenge-
response auth method [...] like SCRAM.
cyrus-sasl-scram seems to be available from standard OS repos,
pam_exec comes with the default PAM installation. pam_sasl (or a SASL
client to use with pam_exec, I don't see testsaslauthd allowing for
presenting and processing a challenge first) I'll have to look into ...
If this is just to protect a single account, say an "engineer" login,
you could just make the user's login shell be a small program which does
the challenge/response, and then execs the real shell if successful.
I rather like the QR code idea given by someone else:
* generate a small random value (e.g. 6-digit PIN)
* encrypt it with public key
* show the encrypted value as a QR code
* user decrypts it and types in the decrypted value
* permit login if they match
No secret information needs to be stored on the target system at all,
and they can all be identical.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
