[PATCH] Out-of-band challenge (OBC) authentication method
Peter Stuge
stuge-openssh-unix-dev at cdy.org
Thu Feb 7 17:10:22 EST 2008
On Wed, Feb 06, 2008 at 10:20:33PM -0700, Paul Sery wrote:
> But is email reliable enough for this purpose? My personal
> experience says yes.
I would say no. Internet email gives no guarantees of any kind and
should not be considered reliable in any way. There is no end of
things that can disrupt email. In this case something as trivial as a
fairly long queue in one SMTP server on the path from sshd to user
can easily cause a delay long enough for the TCP stack to time out
the connection.
> (I'm unfamiliar with SMS particulars)
SMS isn't all that reliable either, though the GSM network is thus
far under much less stress than the internet, and so SMS performance
is fairly good. But SMS:es also does not have guaranteed delivery
times. Again, uncontrollable backlogs in the SMSC will cause
uncontrollable and unmeasurable delivery delays.
This is assuming you actually get to speak directly to an SMSC in
your country. This is usually not the case unless you pay a premium
for bulk SMS services, and even then it's likely you only get to talk
to a machine which is several hops away from the SMSC.
Both email and SMS may work well enough for some of course. It
depends on what kind of reliability one is ready to trade away
for the benefit of stronger authentication.
//Peter
More information about the openssh-unix-dev
mailing list