CryptoCard patch

Igmar Palsenberg i.palsenberg at jdimedia.nl
Thu Sep 14 00:30:03 EST 2000


Hi,

Since I'm not on this list I'll quote :)

-----------------------------------------------------------------------------
Hein Roehrig wrote:

>> I think for platforms supporting PAM this patch is not necessary
>> because you can just use the respective PAM module.

>Suppose I decided to have people log on to my systems using CRAM-MD5.
>How could I implement that as a PAM module?  I could implement the
>server end using PAM, but I couldn't do the client end.  The user
>would have to have some separate program to calculate the MAC, and
>then cut and paste the result into ssh.

PAM just writes text to the terminal, and ask for responses. What the
module actually does with it is of no interest to PAM.
I've programmed about everything with it you an think of. 

You indeed would have to have a program that calculates the response, but
that also applies to CryptoCard, bioscans, etc, etc.

>> I agree 100%. This is also exactly why we wrote the
>> keyboard-interactive authentication protocol for ssh2.  [ ... ]  The
>> user may then act as an interface to whatever device one wishes to
>> use.

>Agreed, but this isn't very convenient.  What would be nice is some
>kind of PAM-like system that works on the client.  Then you have a
>CRAM-MD5 module on the server, and they authenticate the user by
>talking between themselves.  The client module asks the user for the
>MAC secret, accepts a challenge from the server and sends back the
>response.  The server PAM module then logs the user in (or not).

Above scenario is no problem at all. Nothing prevents you from letting the
client talk to the server in that case.

>Hopefully next weekend I will have time to get the OpenPGP stuff into
>a reasonably usable state...


	Regards,

		Igmar Palsenberg
		JDI Media Solutions


--
Igmar Palsenberg
JDI Media Solutions

Jansplaats 11
6811 GB Arnhem
The Netherlands

mailto: i.palsenberg at jdimedia.nl
PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar






More information about the openssh-unix-dev mailing list