two factor authentication

Douglas E. Engert deengert at anl.gov
Tue Jul 25 00:04:33 EST 2006 


William Ahern wrote:
> On Sun, Jul 23, 2006 at 07:56:06AM +0300, Alon Bar-Lev wrote:
> 
>>Hello,
>>
>>I do not understand the exact problem you have.
> 
> 
> Well, the immediate problem is getting OpenSC to intialize the card.
> Actually, a peer and I have gotten that far, _but_ we could not assert that
> OpenSC was actually using the hardware for crypto operations, or simply
> using a generated private key stored in the cards shared memory.

To verify if the crypto is being done on the card, if you are using the
pcscd you could use its debug capabilities to watch the traffic between
the OpenSC applicaiton and pcscd. You could also use a USB debugger to
watch the traffic to the card reader. If the crypto is being done on
the card, you should see the ADPUs with the crypto operations.

You may want to post a question about your specific card on the OpenSC
mail list too.

Depeinding on the card, it may or may not have a random number generator,
but should have at least RSA to use the private key on the card and the
ability to keep the private key on the card. If it does not, time to get
a different card.

> It actually
> appeared like the latter, but after several hours (well, days, really) spent
> we had to give it up.
> 
> 
>>Why won't you use smartcards?
> 
> 
> Because I can't tell whether things are working properly, and unfortuantely
> I don't have any more time at the moment. My point is that trying to use
> smart cards today is like trying to use SSH before OpenSSH, a PITA.
> 

Agree!

> 
>>I've written a PKCS#11 patch for OpenSSH, it works for Unix AND Windows.
>>So you can use almost any PKCS#11 complaint token.
>>
>>http://alon.barlev.googlepages.com/openssh-pkcs11
>>
>>You can use OpenSC PKCS#11 provider, but you may choose other implementations
>>as well, such as Athena, Aladdin, Siemens.
> 
> 
> For Windows, yes. But for Linux I'm stuck w/ OpenSC.
> 
> 
>>What do you call akward proprietary RSA Security solution? I hope not for PKCS#11.
>>
> 
> 
> A popular solution that RSA Security sells is a key fob w/ a clock and a
> pseudo-random stream generated from a shared key pair (unknown proprietary
> algorithm) called SecurID. To authenticate, your password is the most recent
> output from the psuedo-random stream, which churns at a specific rate. Of
> course, these require software support that is not available on free
> software. I didn't describe it very well. Here's the URL:
> 
> 	http://www.rsasecurity.com/node.asp?id=1156
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list