SRP secure remote password authentication
Jeremy Nysen
jnysen-openssh at triaptic.com.au
Thu Sep 18 08:58:34 EST 2003
--On Wednesday, 17 September 2003 12:25 PM -0700 Tom Wu <tom at arcot.com> wrote:
> Dan Kaminsky wrote:
>> Consider: You end up having to abandon OS level password systems. No
>> PAM, no MD5 passwords...SSH needs to take it all inhouse, because the
>
> Actually, it's just a different "format" for OS-level password systems, implemented via
> PAM to support the new EPS password records. So yes, you can't use crypt() or MD5, but
> EPS is merely a substitute for those. The PAM modules make EPS look like just another
> hash/salt algorithm.
I've been using Tom Holroyd's OpenSSH SRP patches for quite a while and they do exactly
that. Under Redhat, the PAM module makes the EPS verifiers transparent to the
applications, and lets EPS work with anything that uses PAM, (eg. Samba, login, imap,
pop, ldap, etc). OpenSSH can still authenticate with EPS without the SRP patches through
the PAM subsystem, but obviously this doesn't use the SRP protocol.
Also, looking at the SRP terms of use license, it seems to me that although there is a
patent, there is not a patent problem. I would be all for the inclusion of something like
Tom Holroyd's patch into the official OpenSSH tree - even if it was only included as an
explicit compile time switch.
--
Jeremy
More information about the openssh-unix-dev
mailing list