LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for August 28, 2008

Fedora, Red Hat, and distributor security

LWN.net Weekly Edition for August 21, 2008

Standards, the kernel, and Postfix

In defense of Ubuntu

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

ssh and security

ssh and security

Posted Dec 4, 2003 23:57 UTC (Thu) by dlang (subscriber, #313)
In reply to: ssh and security by scripter
Parent article: ssh and security

there are packages available to do one-time passwords (OPIE comes to mind, but I'm sure there are others). in addition I have seen several palmpilot packages over the years that implement different options.

personally I use a hardware token I purchased several years ago that does the snk004 protocol. This protocol is implemented in the firewall toolkit so I can throw it on any system I want to protect. I actually have several that I administer where I care more about the authentication then sniffing so I use telnet/ftp with good authentication as opposed to an encrypted connection without the authentication. it's a judgement call that should be made based on the risk in your system.

I would love to be able to tie something like this into ssh and get both, but without hacking the code ssh makes it very hard to do this. the closed source version of ssh has added the ability to ask an external program if a userid and password are correct, but that external program has no way to send a challange to the user so that mechanism can't be used for this type of thing.

One thing I didn't touch on in the letter is that most of these systems do rely on a shared secret so that if one system is comprimised you need to update all the other systems that you access. the new smartcards use public key encryption (and have the ability to hold multiple shared secrets securely) so they will lessen the work to be done when one system gets cracked.

David Lang

(Log in to post comments)

ssh and security

Posted Dec 10, 2003 20:23 UTC (Wed) by gswoods (guest, #37) [Link]

You can do it with PAM modules. We've got one that uses the TIS FWTK authentication server (free software) with the Axent SNK DES-based tokens (now made by PassGo).

ssh and security

Posted Dec 11, 2003 5:49 UTC (Thu) by dlang (subscriber, #313) [Link]

Thanks, I'll have to look into the details of PAM, I'm useing the FWTK and the defender tokens, but up until very recently I've been useing a non-PAM distro.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds