Smartcards & SSH

carl at bl.echidna.id.au carl at bl.echidna.id.au
Thu Oct 19 10:53:53 EST 2000


> From: Damien Miller <djm at mindrot.org>
> To: Tommaso Cucinotta <t.cucinotta at sssup.it>
> Cc: Markus Friedl <markus.friedl at informatik.uni-erlangen.de>,
>    openssh-unix-dev at mindrot.org, carl at bl.echidna.id.au
> Subject: Re: Smartcards & SSH
> X-Paranoia: just because you're paranoid doesn't mean they aren't out to get you
> MIME-Version: 1.0
> Status: RO
> 
> On Wed, 18 Oct 2000, Tommaso Cucinotta wrote:
> 
> > > i don't understand what you exactly want...
> > 
> > What I was meaning is that I'd like not to have separate
> > applications to start for smartcard-aware SSH and "normal"
> > file-based SSH.
> > 
> > I would prefer a solution that allows a user to launch
> > his ssh-agent, then ssh-add a smartcard's key (just tell
> > the agent HOW to use the key with the SC, not giving
> > the key to the agent itself), and use ssh in the usual
> > way, except that I should enter smartcard's PIN instead
> > of the private key's passphrase.
> > 
> > So the problem is: is out there anybody who can give me
> > hints/suggestions about
> > 
> > 1. how to incorporate a sort of "modularity" in SSH Agent, in
> >    such a way that it uses "cryptographic modules" to make
> >    authentication, indipendently of the way such modules
> >    operate (it seems that the separation between ssh and
> >    ssh-agent wants to achieve just this, but know I have
> >    this problem of the "agent modularity"). Maybe that
> >    PKCS#11 is a (Netscape-like) reasonable solution ?
> 
> PKCS11 is how you would talk to the smartcards, you also need
> to modify ssh-agent so it knows which keys are in memory and 
> which keys can be accessed through pkcs11.
> 
> Do you want to use the card as a keystore, or do you want
> to sign challenges on the card?
> 
> > 2. how could PAM be used to achieve the task. Does ssh-agent,
> >    by now, use PAM at all ? Is there a way to use PAM to
> >    achieve the agent's modularity ?
> 
> No - PAM deals with system authentication and knows nothing about
> crypto keys. There has been talk of a PAM module that does RSA
> authentication, but I haven't seen it yet.
> 
> > 3. What is a PAM radius agent and a SecurID token (I refer
> >    to "carl at bl.echidna.id.au"'s message) ?
> 
> SecurID is a token based one-time-password system. The PAM radius
> module is used to talk to the proprietary SecurID server.
> 
> BTW where can I find this PAM radius module? The docs on the one I
> have say that it only does RADIUS accounting.

http://www.freeradius.org/pam_radius_auth/

If you're using it with (for example) SecurID, you need to hack it
to put the radius packet session
sequence number into a file (and lock it, and atomically update it etc.) - the
original just makes up a sequence number 'at random', but as the range is only
0..255, collisions (and therefore failed logins) are quite possible.

Carl






More information about the openssh-unix-dev mailing list