CryptoCard patch

Martin Forssen maf at appgate.com
Thu Sep 14 02:07:52 EST 2000


On 13 Sep, Pete Chown wrote:
> Martin Forssen wrote:
>> I agree 100%. This is also exactly why we wrote the
>> keyboard-interactive authentication protocol for ssh2.  [ ... ]  The
>> user may then act as an interface to whatever device one wishes to
>> use.
> 
> Agreed, but this isn't very convenient.  What would be nice is some
> kind of PAM-like system that works on the client.  Then you have a
> CRAM-MD5 module on the server, and they authenticate the user by
> talking between themselves.  The client module asks the user for the
> MAC secret, accepts a challenge from the server and sends back the
> response.  The server PAM module then logs the user in (or not).

I would rather say that it is very convenient, for some authentication
methods. Namely those methods which does not need any special code on
the client. CRAM-MD5 needs extra code on the client and is thus no good
candidate for keyboard-interactive. 

The point with keyboard-interactive is that once it is in place you do
not need any additional code on the client to handle some new
authentication methods (like for example CryptoCard, SecurID and other
token-cards). This is a very nice property if you have lots of different
clients, like Windows, Macs and N*Unix-versions.

Pam might be an ok solution to certain unix-versions but gets trickier
if one involves other platforms.

Keyboard-interactive is not the ultimate authentication method and it
doesn't solve all problems. But it is IMHO a very good way of solving
the problems with a certain class of authentication methods.

	/MaF






More information about the openssh-unix-dev mailing list