No interest in partial auth?

Erik Lotspeich erikvcl at silcom.com
Sat Aug 23 06:10:38 EST 2003


>     Well, even _I'm_ having trouble coming up with situations where 
> partial auth is useful, and I'm always breaking ssh :-)
> 
>     But I imagine you've got some creative uses...perhaps we can 

Dan,

If I understand correctly, the commercial version of SSH2 does support 
partial authentication.  And the OpenSSH client supports this feature also 
(I assume for the purpose of interacting wth commercial SSH2 servers that 
require partial authentication).

In the particular application that I am considering, there is a need both
for a "login" password with the capability of authenticating against a
remote server (NIS, LDAP, Radius, etc.) and for requiring a public key.  
In this application, the private key will be stored on a biometric
authentication device with memory.  The end result will be two-levels of
security: biometric (i.e.  publickey), and traditional (i.e. password).

I understand that my application seems quite unique, but I can imagine 
that any high-security application would want two levels of authentication 
to protect against a stolen key and/or password.  As external 
authentication methods become more prevalent (biometric and otherwise), 
the need for this will increase.

In the future, the implementation in my application may use the 
keyboard-interactive method and have a closer software/hardware 
interaction with the biometric device for increased security, but even at 
that point, we would need both password and keyboard-interactive methods.

> simultaneously satisfy your needs for functionality, the "cabal"'s need 
> for simplicity, and my enjoyment of doing things that I can't entirely 
> predict the consequence of.  All, why don't we create a new environment 
> variable, $SSH_AUTHTYPE, that contains the method by which the user 
> logged into the server?  We already allow users to enable or disable 
> certain types of auth; why not allow the shell to make its own decisions 
> based on what the user selected?  Instead of hardcoding a few decision 
> types, hand something like:
> 
> SSH_AUTHTYPE=password
> 
> or
> 
> SSH_AUTHTYPE=pubkey
> SSH_AUTHKEY=ssh-dss 
> AAAAB3NzaC1kc3MAAACBAOaR3q/NFbHKzr2p7Pv0twMzhfgvor0l2JVYY4sIzO14+5rdudV8M0aUis4/+w07AL8OQy413xdyppHqBLxgj3gCCXOOjGbhSyCFaQbC6xTIClQISNA5X9JkO4OuaqJUD65qvD5ArsXyjRVWMHWjPtVVF6uzBSjnVN50IDJoCKl9AAAAFQDDXmMMBXvJophSgrqOVezFvpTQ5wAAAIEA0gcZsNVOsn6nSG+r0wD5mlloz5S7YL+ePCAJI6qY/0lOoV50uSIZoK5iWMgVLNrOLTkIv0MkYpt93HzY3zAvH7iSnbWHXdD+j+XTP6xN9ImnePlXFx8whe3kEduqitY41baGiFZq8zSCNfErp/GuzYcGH13O4Cb1zYyvD0mzxvgAAACABHFilqR7fRHbKrTN93cYJ8B+0zKeYx0Ov5L/02ZqwOWSKttRS3AiW1Imxg5af3AUyP6fyMpy8LzvianxzC/uQKcr3KfM9RXm99LOv9/yjr00v8LudwkThkUAOD9HzeMvOQooxk+pOm+sAx1MW7qUuadYHQL8usf8nY7VqDjqeUA=
> 
> to shells for their own use -- a little like $SSH_CLIENT.  This should 
> be just a small patch, and would enable others to elegantly use their 
> preferred method of partial (not multimode, though) authentication.
> 
>     Speaking of shells -- it would be useful, so as to not excessively 
> impact other services, to have a sshd_config entry for a preshell -- a 
> shell that is used to execute the user's shell of choice.  This maps 
> well to the different goals of users and admins.

Although I am no security expert, I would argue for functionality that 
works like the commercial SSH2 version.  This would ensure compatibility 
and lessen the burden for those coming from the commercial version to 
OpenSSH.

Erik.






More information about the openssh-unix-dev mailing list