Looking for Special Challenge-Response Auth PAM Module, or Similar
Demi Marie Obenour
demiobenour at gmail.com
Wed Aug 24 15:11:37 AEST 2022
On 8/23/22 09:15, Jochen Bern wrote:
> Hello everyone, I hope that it is acceptable to post an only *halfway*
> relevant request to the OpenSSH mailinglist ...
>
> These days, I was sent to do on-site maintenance on one of the Linux
> based appliances we make. The local admin led me to a rack and pointed
> to the KVM unit, with the screen showing the appliance's login prompt -
> no network access for my laptop, no physical access to the appliance
> (nowhere to be seen), please type your appliance's maintenance password
> into our hardware. Didn't much like that, and the surveillance camera a
> foot and a half above the keyboard didn't help any, either.
>
> So now I'm looking for a new (additional), replay-attack-safe
> authentication method to add to the product. Searched the web for
> "challenge-response" and "PAM" (so that it'll also work with sshd if
> needed), and so far, everything remotely acceptable seems to go back to
> three basic principles:
>
> -- Tokens like Yubikeys, which wouldn't have worked here thanks to no
> physical access.
>
> -- HOTP, which would lack the *single* strictly-(de|in)creasing counter
> to be replay safe (snarf response used on a "well worn" appliance,
> replay it on one with a "younger" counter, unless we start shipping
> appliances with *individual* secrets to boot).
>
> -- TOTP, which *would* be replay safe - if only our appliances weren't
> meant to sync against the customers' own NTP servers, so that their time
> can trivially be off or downright manipulated.
>
> What I'm looking for is a solution where the appliance would prompt with
> a *randomly chosen* challenge, random enough to make it unfeasible to
> try and wait for the challenge to repeat, the technician types the
> challenge into some device of his own (laptop, if need be), types the
> response displayed back into the appliance, and hey, nice camera you
> have there making an *entirely useless* recording.
>
> Would anyone here happen to know of such a beast?
From a more meta perspective:
- Having a shared secret used by all appliances is a really bad idea.
Root or even physical access to one appliance should not harm the
security of any other appliance.
- A determined attacker with physical access *will* be able to get
root on the box, so plan accordingly. You do not want the iOS
situation where researchers hoard exploits because they cannot do
their work without them.
- It seems that you are trying to prevent your customer (who presumably
owns the product) from being able to log in to their own devices.
Generally, this is considered rather consumer-unfriendly, so I
would like to know what the underlying reason for it is.
- Challenge-response will not prevent an attacker from injecting
their own data into the already-authenticated session. However,
given that you should be assuming that whoever has physical access
can get root (see above), this should not be a serious problem.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB288B55FFF9C22C1.asc
Type: application/pgp-keys
Size: 4885 bytes
Desc: OpenPGP public key
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220824/98d4c3d3/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220824/98d4c3d3/attachment-0001.asc>
More information about the openssh-unix-dev
mailing list