[PATCH] Out-of-band challenge (OBC) authentication method

Carson Gaspar carson at taltos.org
Thu Feb 7 07:42:45 EST 2008


Daniel Kahn Gillmor wrote:

> It also occurs to me that if this is implemented, it could create a
> way for anonymous miscreants to cause a mailstorm for the targeted
> user simply by trying to log in as hir.  I think this is true even in
> conjunction with MultiAuth, because it doesn't look like the MultiAuth
> patch allows the server to mandate an order in which the
> authentication flavors are run (client-chooses-auth seems to be built
> into the SSH protocol, if i'm reading my ssh -vvv output correctly).
> If those challenges are 10-penny-apiece text messages, this auth
> method could rack up quite a bill.

The server can force auth order by limiting the auth methods it sends to 
the client (as it re-sends them every auth round). I implemented this 
back in 2000, but sadly never got it merged.

-- 
Carson


More information about the openssh-unix-dev mailing list