[Bug 1439] New: Adds Virtual Token (VToken) authentication method to kbdint
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Feb 8 17:16:33 EST 2008
https://bugzilla.mindrot.org/show_bug.cgi?id=1439
Summary: Adds Virtual Token (VToken) authentication method to
kbdint
Classification: Unclassified
Product: Portable OpenSSH
Version: 4.7p1
Platform: All
OS/Version: Linux
Status: NEW
Keywords: patch
Severity: normal
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: pgsery at swcp.com
The Virtual Token (VToken) patch adds a kbdint device that provides a
new challenge-based authentication mechanism. The server calculates a
challenge from two secrets and a counter. You authenticate by proving
that you know the secrets by correctly answering the challenge. This
creates a software-based token, similar in function to commercial ones,
that can be run from your workstation or better yet, ubiquitous devices
such as PDAs, cell phones, calculators, and even pen and paper.
VToken has the advantage of not only using cheap, generic devices but
also not being network-aware. Commercial tokens can only be used on
networks configured with a significant amount of dedicated
infrastructure; they're network-based. VToken can be from on any
machine running OpenSSH and a properly configured sshd_config file;
it's a host-based system.
The current challenge is a place-holder for a more rigorous one. It
uses the simple equation: Challenge=Secret*Counter Mod(PIN). The secret
is designed to be embedded in the virtual token, while you must keep
the PIN secret; the counter protects against replay attacks. Taking the
modulus of the product maps the answer into a number set (or something
like that) that . Ultimately, the calculation should probably be done
by taking the hash of the combined terms (anyone who captures the
current challenge will be able to calculate the secrets using brute
force).
vtoken.c is an example virtual token app. It prompts you for your PIN
and calculates the challenge response from the secret, which is
embedded in it's source.
VToken in it's present form should be used in conjunction with the
"Multiauth" patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1435),
which allows you to use multiple authentication methods to log into a
machine. You'll want to use Pubkey together with VToken.
In the future, VToken will by itself will provide two-factor
authentication. The secret will be embedded in the app and effectively
be embedded in your PDA, cell phone, etc. You'll keep your PIN
separate, of course, and use the two just like on commercial tokens.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list