Openssh + challenge-response

Frank Cusack fcusack at fcusack.com
Fri Mar 29 06:21:56 EST 2002


On Thu, Mar 28, 2002 at 09:55:49AM +0100, Lourens Bordewijk wrote:
> Hello, 
> 
> I was searching the internet for an challenge-response system to
> authenticate an Openssh session with an hardware token. Now i found this,
> its very old, so i want to now how's the situation today. I couldn't find
> much documentation.
[...]
> I read that it worked with openssh (that there are patches for it), If it's
> posible , what's the safest hardware token that i can/should i use?
> Activcard One? Cryptocard ? Is there a document that explains exactly the
> situation i want to use or how i can implement it ?

Your question is off topic for openssh, but that said, there probably are
folks here with good experience with those cards.

SecurID is probably the easiest (for you and your users).  Cryptocard is
probably the cheapest.  Activcard is probably the hardest to implement.

I'd say they are all within the realm of "good".  Don't use challenge
response mode with cryptocard if you wish to protect against an attacker
that can break DES.  Your users won't like challenge/response mode anyway.

Funny thing, cryptocard can store 3 keys and so could do 3DES if they
wanted, or they could do a 2-key scheme which is unbreakable with any
computing power.  Oh well.  I think I'll patent that and license it back
to them. :-\

/fc




More information about the openssh-unix-dev mailing list