[PATCH] Out-of-band challenge (OBC) authentication method

Paul Sery pgsery at swcp.com
Thu Feb 7 16:20:33 EST 2008


On Wed, 6 Feb 2008, Ben Lindstrom wrote:
>
> To take this a step farther wouldn't it be better to build this more like
> the "ProxyCommand".  I'm not thrilled with the idea that we start adding
> massive amount of authentication methods that are used by a dozen people.
> I'd rather see someone invest the time in a good external proxy method for
> adding in custom authentications (Even at that, I dislike it from a
> security view since it makes it easier to compermise the deamon).
>
I chose this implementation because I thought kbdint was designed for 
adding new auth methods. I understand not wanting to add new features, 
especially ones likely to remain unused. However, this method should prove 
popular if it delivers reliable, server-based two-factor authentication. 
The server-based model allows any organization or individual the ability 
to provide and use two-factor authentication.

> Also, email isn't very reliable and timely transmission of information.
> Even worse if you are sending it to an SMS gateway.
>
But is email (I'm unfamiliar with SMS particulars) reliable enough for 
this purpose? My personal experience says yes.


More information about the openssh-unix-dev mailing list