[PATCH] Out-of-band challenge (OBC) authentication method
Ben Lindstrom
mouring at eviladmin.org
Fri Feb 8 02:59:25 EST 2008
On Thu, 7 Feb 2008, Peter Stuge wrote:
> On Wed, Feb 06, 2008 at 10:20:33PM -0700, Paul Sery wrote:
[..]
>> (I'm unfamiliar with SMS particulars)
>
> SMS isn't all that reliable either, though the GSM network is thus
> far under much less stress than the internet, and so SMS performance
> is fairly good. But SMS:es also does not have guaranteed delivery
> times. Again, uncontrollable backlogs in the SMSC will cause
> uncontrollable and unmeasurable delivery delays.
>
It isn't so much delays, but SMS messages can outright vanish as well.
I've been at a few conferences where folks have SMS messaged me for dinner
or to meet at a panel and I've failed to get them (not delayed.. they
just didn't show up).
Back when I was doing dial-in text paging I was assured to lose 1 out of
every 100 pages I sent to the pager company. It was almost like
clockwork, and the company didn't care. (Granted, I didn't care because
my paging software was a chatty beast and would nag at me every 15 minutes
so at worse during off peek hours it would be 30 minutes assuming no one
else called me)
> This is assuming you actually get to speak directly to an SMSC in
> your country. This is usually not the case unless you pay a premium
> for bulk SMS services, and even then it's likely you only get to talk
> to a machine which is several hops away from the SMSC.
>
> Both email and SMS may work well enough for some of course. It
> depends on what kind of reliability one is ready to trade away
> for the benefit of stronger authentication.
>
I see SMS and Email working "well-enough" for daily usage, but I fear the
"oh shit" case...
You are 10,000 miles away from the site, your cell phone company's SMS
gateway is down (or you're on analog only).. your external email provider
is down.. /var/spool is filled on the box, Linux kernel has OOM and gone
on a killing spree sparing sshd, but taking out sendmail and others. Or
the one that I can attest semi-lately to which is EXT3 gains a nice bad
sector in the journal, the OS freeks throwing the filesystem into read
only mode and you can't physically write anything to get mail off or on
the box.
I know these should be non-typical cases, but one should find a list of
the scarest events so they know their edge cases. =) Because it will be
under these cases you'll be swearing like a sailor as you hunt down
someone else to get at the box via console.
- Ben
More information about the openssh-unix-dev
mailing list