two factor authentication
William Ahern
william at 25thandClement.com
Sun Jul 23 17:43:45 EST 2006
On Sun, Jul 23, 2006 at 07:56:06AM +0300, Alon Bar-Lev wrote:
> Hello,
>
> I do not understand the exact problem you have.
Well, the immediate problem is getting OpenSC to intialize the card.
Actually, a peer and I have gotten that far, _but_ we could not assert that
OpenSC was actually using the hardware for crypto operations, or simply
using a generated private key stored in the cards shared memory. It actually
appeared like the latter, but after several hours (well, days, really) spent
we had to give it up.
> Why won't you use smartcards?
Because I can't tell whether things are working properly, and unfortuantely
I don't have any more time at the moment. My point is that trying to use
smart cards today is like trying to use SSH before OpenSSH, a PITA.
> I've written a PKCS#11 patch for OpenSSH, it works for Unix AND Windows.
> So you can use almost any PKCS#11 complaint token.
>
> http://alon.barlev.googlepages.com/openssh-pkcs11
>
> You can use OpenSC PKCS#11 provider, but you may choose other implementations
> as well, such as Athena, Aladdin, Siemens.
For Windows, yes. But for Linux I'm stuck w/ OpenSC.
> What do you call akward proprietary RSA Security solution? I hope not for PKCS#11.
>
A popular solution that RSA Security sells is a key fob w/ a clock and a
pseudo-random stream generated from a shared key pair (unknown proprietary
algorithm) called SecurID. To authenticate, your password is the most recent
output from the psuedo-random stream, which churns at a specific rate. Of
course, these require software support that is not available on free
software. I didn't describe it very well. Here's the URL:
http://www.rsasecurity.com/node.asp?id=1156
More information about the openssh-unix-dev
mailing list