Re: Unix (pam) authorization with required public key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 31 Aug 2010, Robert Hajime Lanning wrote:

ssh is not written to do that.

It authorizes on first successful authentication.

The closest thing you can do is distribute PKCS#11 compatible hardware
tokens and configure the ssh client to use the key from there.

This will implement two factor authentication.
1) the token (the key never leaves the token)
2) password authentication to the token to unlock access to use the key.

Actually, the answer you're looking for is called "securID", or other similar products like cryptocards or tokens by Vasco or securecomputing.

Specifically, the "RSA way" is you concatenate the token code with your password, so your password is foobarNNNNNN, and the radius/pam server knows to do a "split" on that point, and compare the values separately.

It is also possible to do full on challenge-response authentication, in the classic "you type the challenge into your token, and the token gives you a response" method.

You can use this, for example, with OPIE (also known as s/key), which has the advantage of blocking replay attacks (passwords are discarded on use), and being usable over unencrypted channels.

And yes, you could work this with LDAP, but it's nontrivial and probably requires some custom PAM programming to chain the functionality together.

I have not seen a free, off-the-shelf product that does this.

-Dan

--

"SOY BOMB!"

-The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan
Performance.

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux