LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

ssh and security

ssh and security

Posted Dec 4, 2003 16:25 UTC (Thu) by scripter (subscriber, #2654)
Parent article: ssh and security

Thank you! I thought your letter was informative, and it makes people aware of the limitations of SSH.

You mention that a challenge response system is a solution to the shortcomings of SSH. Unfortunately, as far as I know, a hardware based challenge-response system is prohibitively expensive, especially in the OSS development model. And it is difficult to distribute the hardware (or a paper with one-time passwords). The hardware costs money. Postage costs money. Administration costs time and/or money. The person issuing the challenge-response system to users has to be able to verify if they want to trust each individual user.

Is there a way to "revoke" a smart card or equivellent system?

Is there a software-only solution that avoids the high distribution costs?

Thoughts?

(Log in to post comments)

Can't afford smart cards?

Posted Dec 4, 2003 19:46 UTC (Thu) by kbob (subscriber, #1770) [Link]

USB smart cards are available for about $40 US. If each developer bought his own, and if each developer could store all his keys on a single card, it would be affordable for the majority of developers. A sponsorship program could provide cards (yes, and postage) to those few who couldn't buy their own.

Then it's an engineering problem of building a web of trust based on smart card authentication.

K<bob>

Can't afford smart cards?

Posted Dec 4, 2003 21:20 UTC (Thu) by dd9jn (subscriber, #4459) [Link]

BTW, we plan to sell the OpenPGP smartcard for about 15 Euro, so you merely need an USB reader (~35 EUR - it should be possible to negotiate discounts). The advantage is that the existing WoT can be used to bootstrap this and the card may also be used for signing and encryption. OpenSC already has experimental support using this card with ssh and gnupg 1.3.4 comes with the card key generation and encryption feature.

-Werner

Can't afford smart cards?

Posted Dec 5, 2003 19:25 UTC (Fri) by atsmyles (guest, #2777) [Link]

Where can I find more information about this product?

ssh and security

Posted Dec 4, 2003 23:57 UTC (Thu) by dlang (subscriber, #313) [Link]

there are packages available to do one-time passwords (OPIE comes to mind, but I'm sure there are others). in addition I have seen several palmpilot packages over the years that implement different options.

personally I use a hardware token I purchased several years ago that does the snk004 protocol. This protocol is implemented in the firewall toolkit so I can throw it on any system I want to protect. I actually have several that I administer where I care more about the authentication then sniffing so I use telnet/ftp with good authentication as opposed to an encrypted connection without the authentication. it's a judgement call that should be made based on the risk in your system.

I would love to be able to tie something like this into ssh and get both, but without hacking the code ssh makes it very hard to do this. the closed source version of ssh has added the ability to ask an external program if a userid and password are correct, but that external program has no way to send a challange to the user so that mechanism can't be used for this type of thing.

One thing I didn't touch on in the letter is that most of these systems do rely on a shared secret so that if one system is comprimised you need to update all the other systems that you access. the new smartcards use public key encryption (and have the ability to hold multiple shared secrets securely) so they will lessen the work to be done when one system gets cracked.

David Lang

ssh and security

Posted Dec 10, 2003 20:23 UTC (Wed) by gswoods (guest, #37) [Link]

You can do it with PAM modules. We've got one that uses the TIS FWTK authentication server (free software) with the Axent SNK DES-based tokens (now made by PassGo).

ssh and security

Posted Dec 11, 2003 5:49 UTC (Thu) by dlang (subscriber, #313) [Link]

Thanks, I'll have to look into the details of PAM, I'm useing the FWTK and the defender tokens, but up until very recently I've been useing a non-PAM distro.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds