two factor authentication

William Ahern william at 25thandClement.com
Sun Jul 23 17:43:45 EST 2006


On Sun, Jul 23, 2006 at 07:56:06AM +0300, Alon Bar-Lev wrote:
> Hello,
> 
> I do not understand the exact problem you have.

Well, the immediate problem is getting OpenSC to intialize the card.
Actually, a peer and I have gotten that far, _but_ we could not assert that
OpenSC was actually using the hardware for crypto operations, or simply
using a generated private key stored in the cards shared memory. It actually
appeared like the latter, but after several hours (well, days, really) spent
we had to give it up.

> Why won't you use smartcards?

Because I can't tell whether things are working properly, and unfortuantely
I don't have any more time at the moment. My point is that trying to use
smart cards today is like trying to use SSH before OpenSSH, a PITA.

> I've written a PKCS#11 patch for OpenSSH, it works for Unix AND Windows.
> So you can use almost any PKCS#11 complaint token.
> 
> http://alon.barlev.googlepages.com/openssh-pkcs11
> 
> You can use OpenSC PKCS#11 provider, but you may choose other implementations
> as well, such as Athena, Aladdin, Siemens.

For Windows, yes. But for Linux I'm stuck w/ OpenSC.

> What do you call akward proprietary RSA Security solution? I hope not for PKCS#11.
> 

A popular solution that RSA Security sells is a key fob w/ a clock and a
pseudo-random stream generated from a shared key pair (unknown proprietary
algorithm) called SecurID. To authenticate, your password is the most recent
output from the psuedo-random stream, which churns at a specific rate. Of
course, these require software support that is not available on free
software. I didn't describe it very well. Here's the URL:

	http://www.rsasecurity.com/node.asp?id=1156



More information about the openssh-unix-dev mailing list