[PATCH] one-time ssh-agent confirmation password

paul sery pgsery at swcp.com
Sat Nov 24 15:12:12 EST 2007

Daniel Kahn Gillmor <dkg-openssh.com> wrote:

>Paul Sery (pgsery-swcp.com> wrote:
>> The patch (against 4.7p1) modifies gnome-ssh-askpass to optionally
>> generate a one-time password and transmits it to the user via an
>> out-of-band communication channel. If you can read the password and
>> enter it back into the gnome-ssh-askpass dialog, ssh-agent is
>> allowed to continue with the authentication process.

>This is an interesting idea.  Thanks for publishing!  I haven't had
>time to digest it enough to know if the general framework is something
>i want, but here's a couple quick notes about the diff:

I've cleaned up most of the clutter and tightened it up in general.

>Seeding with the time (in seconds since the UNIX epoch) means that
>every one of these one-time-passwords that happens in a given second
>is going to use the same random password.  So that password will be
>predictable -- probably not a property you intend the one time
>passwords to have.

Yes, my current implementation is a place-holder. I'd like guidance 
on whether to use arc4random_stir or something else. 

>Thanks again for publishing this idea.  For patches that you want
>people to consider against OpenSSH, you probably want to post them to
>the OpenSSH bugzilla (not just this mailing list):
> https://bugzilla.mindrot.org/
> That makes your work easier to find for people looking for it later.

Bug 1393.

Thanks for the advice and help! I hope it proves useful.


More information about the openssh-unix-dev mailing list