CryptoCard patch

[Pete Chown]

Hein Roehrig wrote:

> I think for platforms supporting PAM this patch is not necessary
> because you can just use the respective PAM module.

Suppose I decided to have people log on to my systems using CRAM-MD5.
How could I implement that as a PAM module?  I could implement the
server end using PAM, but I couldn't do the client end.  The user
would have to have some separate program to calculate the MAC, and
then cut and paste the result into ssh.

Martin Forssen wrote:

> I agree 100%. This is also exactly why we wrote the
> keyboard-interactive authentication protocol for ssh2.  [ ... ]  The
> user may then act as an interface to whatever device one wishes to
> use.

Agreed, but this isn't very convenient.  What would be nice is some
kind of PAM-like system that works on the client.  Then you have a
CRAM-MD5 module on the server, and they authenticate the user by
talking between themselves.  The client module asks the user for the
MAC secret, accepts a challenge from the server and sends back the
response.  The server PAM module then logs the user in (or not).

Hopefully next weekend I will have time to get the OpenPGP stuff into
a reasonably usable state...

-- 
Pete