[PATCH] Out-of-band challenge (OBC) authentication method
Carson Gaspar
carson at taltos.org
Thu Feb 7 07:42:45 EST 2008
Daniel Kahn Gillmor wrote:
> It also occurs to me that if this is implemented, it could create a
> way for anonymous miscreants to cause a mailstorm for the targeted
> user simply by trying to log in as hir. I think this is true even in
> conjunction with MultiAuth, because it doesn't look like the MultiAuth
> patch allows the server to mandate an order in which the
> authentication flavors are run (client-chooses-auth seems to be built
> into the SSH protocol, if i'm reading my ssh -vvv output correctly).
> If those challenges are 10-penny-apiece text messages, this auth
> method could rack up quite a bill.
The server can force auth order by limiting the auth methods it sends to
the client (as it re-sends them every auth round). I implemented this
back in 2000, but sadly never got it merged.
--
Carson
More information about the openssh-unix-dev
mailing list