two factor authentication

William Ahern william at 25thandClement.com
Sun Jul 23 13:56:21 EST 2006 

On Sun, Jul 23, 2006 at 01:32:46PM +1000, Darren Tucker wrote:
> William Ahern wrote:
> > On Sun, Jul 23, 2006 at 10:16:12AM +1000, Darren Tucker wrote:
> >> Going back to the first part: while requiring both password and 
> >> public-key would probably improve security, personally I think the 
> >> private key is another instance of "something you know" (although with 
> >> the useful property of being able to prove you know it without 
> >> disclosing it) since it can be copied, printed out, emailed...
> > 
> > Excluding public keys exported from a smart card. For real smart cards (i.e.
> > not USB memory sticks w/ a PKCS#11 library), the private key is not known
> > even by the user holding the card (unless you work at IBM and own an
> > electron scanning microscope).
> 
> That's true, and I should have mentioned it.  My statement above applies 
> only to the standard file-based public-key authentication (ie 
> ~/.ssh/id_rsa and friends).
> 

Personally, I don't like passwords, nor do I care much about "two-factor"
authentication (PINs aren't a step forward, maybe a fingerprint scanner on
the key fob itself...).

What I do care about is removing passwords from the equation entirely. And
it's a pain and a half to get OpenSSH working w/ OpenSC, and even more of a
pain to actually get OpenSC to work! WRT to OpenSC, I've never seen so much
code and so much labour amount to so little (that's not to slight OpenSC
developers, but it does speak to the abysmal state of the smart card market;
it's so close but so useless it's maddening).

OpenSSH actually shipping w/ workable smart card configurations would, I
think, have a similar effect on the state of computer security as when
OpenSSH killed telnet. It would light a rocket under the whole software
ecosystem. I can easily imagine Mozilla/Firefox following (yes, it has
PKCS#11 support, but the middleware isn't there), and then the skies the
limit. Everything else has already been SSL'ized, so the hard work is done
for POP, IMAP, etc.

Here at work I've been pushing to move toward smart cards (I have a pack of
Schlumberger Cryptoflex's on my desk) for a long time, but I can't sell it
to my bosses because the implementation path isn't clear enough (need
Windows and Linux and OS X client software). We rely on SSH heavily
(multiple implementations), so akward and proprietary RSA Security solutions
are out of the question.

More information about the openssh-unix-dev mailing list