[PATCH] one-time ssh-agent confirmation password
pgsery at swcp.com
Sat Nov 24 15:12:12 EST 2007
Daniel Kahn Gillmor <dkg-openssh.com> wrote:
>Paul Sery (pgsery-swcp.com> wrote:
>> The patch (against 4.7p1) modifies gnome-ssh-askpass to optionally
>> generate a one-time password and transmits it to the user via an
>> out-of-band communication channel. If you can read the password and
>> enter it back into the gnome-ssh-askpass dialog, ssh-agent is
>> allowed to continue with the authentication process.
>This is an interesting idea. Thanks for publishing! I haven't had
>time to digest it enough to know if the general framework is something
>i want, but here's a couple quick notes about the diff:
I've cleaned up most of the clutter and tightened it up in general.
>Seeding with the time (in seconds since the UNIX epoch) means that
>every one of these one-time-passwords that happens in a given second
>is going to use the same random password. So that password will be
>predictable -- probably not a property you intend the one time
>passwords to have.
Yes, my current implementation is a place-holder. I'd like guidance
on whether to use arc4random_stir or something else.
>Thanks again for publishing this idea. For patches that you want
>people to consider against OpenSSH, you probably want to post them to
>the OpenSSH bugzilla (not just this mailing list):
> That makes your work easier to find for people looking for it later.
Thanks for the advice and help! I hope it proves useful.
More information about the openssh-unix-dev