two factor authentication

Alon Bar-Lev alon.barlev at gmail.com
Sun Jul 23 14:56:06 EST 2006


William Ahern wrote:
> OpenSSH actually shipping w/ workable smart card configurations would, I
> think, have a similar effect on the state of computer security as when
> OpenSSH killed telnet. It would light a rocket under the whole software
> ecosystem. I can easily imagine Mozilla/Firefox following (yes, it has
> PKCS#11 support, but the middleware isn't there), and then the skies the
> limit. Everything else has already been SSL'ized, so the hard work is done
> for POP, IMAP, etc.
> 
> Here at work I've been pushing to move toward smart cards (I have a pack of
> Schlumberger Cryptoflex's on my desk) for a long time, but I can't sell it
> to my bosses because the implementation path isn't clear enough (need
> Windows and Linux and OS X client software). We rely on SSH heavily
> (multiple implementations), so akward and proprietary RSA Security solutions
> are out of the question.

Hello,

I do not understand the exact problem you have.
Why won't you use smartcards?

I've written a PKCS#11 patch for OpenSSH, it works for Unix AND Windows.
So you can use almost any PKCS#11 complaint token.

http://alon.barlev.googlepages.com/openssh-pkcs11

You can use OpenSC PKCS#11 provider, but you may choose other implementations
as well, such as Athena, Aladdin, Siemens.

What do you call akward proprietary RSA Security solution? I hope not for PKCS#11.

Best Regards,
Alon Bar-Lev.




More information about the openssh-unix-dev mailing list