challenge-response token

Lourens Bordewijk bordewijk at fox-it.com
Thu Apr 4 21:32:33 EST 2002


Hello,

I have to find a solution logon through OpenSSH to OpenBSD machines from
anywhere in the world (unsave computers). So I think I must use a
challenge-response system with an hardware token that isn't connected to the
computer. I do not want to use a RSA ACE/SERVER, so i can't use SecurID ? I
can't use challenge response mode with cryptocard, because I want to protect
it against an attacker that can break DES. Is it possible to use ActivCard
with OpenSSH and OpenBSD ? Are there other solutions ?

Is there anyone who can help me ?

Thanx,

>SecurID is probably the easiest (for you and your users).  Cryptocard is
>probably the cheapest.  Activcard is probably the hardest to implement.

>I'd say they are all within the realm of "good".  Don't use challenge
>response mode with cryptocard if you wish to protect against an attacker
>that can break DES.  Your users won't like challenge/response mode anyway.

>Funny thing, cryptocard can store 3 keys and so could do 3DES if they
>wanted, or they could do a 2-key scheme which is unbreakable with any
>computing power.  Oh well.  I think I'll patent that and license it back
>to them. :-\



Lourens Bordewijk

Fox-IT Forensic IT Experts B.V.
Oude Delft 47
2611 BC  Delft
Tel: 015 - 21 91 111
________________________________________________________

http://www.fox-it.com
________________________________________________________





More information about the openssh-unix-dev mailing list