[Bug 1439] New: Adds Virtual Token (VToken) authentication method to kbdint

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Feb 8 17:16:33 EST 2008


           Summary: Adds Virtual Token (VToken) authentication method to
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 4.7p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Keywords: patch
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: pgsery at swcp.com

The Virtual Token (VToken) patch adds a kbdint device that provides a
new challenge-based authentication mechanism. The server calculates a
challenge from two secrets and a counter. You authenticate by proving
that you know the secrets by correctly answering the challenge. This
creates a software-based token, similar in function to commercial ones,
that can be run from your workstation or better yet, ubiquitous devices
such as PDAs, cell phones, calculators, and even pen and paper. 

VToken has the advantage of not only using cheap, generic devices but
also not being network-aware. Commercial tokens can only be used on
networks configured with a significant amount of dedicated
infrastructure; they're network-based. VToken can be from on any
machine running OpenSSH and a properly configured sshd_config file;
it's a host-based system.

The current challenge is a place-holder for a more rigorous one. It
uses the simple equation: Challenge=Secret*Counter Mod(PIN). The secret
is designed to be embedded in the virtual token, while you must keep
the PIN secret; the counter protects against replay attacks. Taking the
 modulus of the product maps the answer into a number set (or something
like that) that . Ultimately, the calculation should probably be done
by taking the hash of the combined terms (anyone who captures the
current challenge will be able to calculate the secrets using brute

vtoken.c is an example virtual token app. It prompts you for your PIN
and calculates the challenge response from the secret, which is
embedded in it's source.

VToken in it's present form should be used in conjunction with the
"Multiauth" patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1435),
which allows you to use multiple authentication methods to log into a
machine. You'll want to use Pubkey together with VToken.

In the future, VToken will by itself will provide two-factor
authentication. The secret will be embedded in the app and effectively
be embedded in your PDA, cell phone, etc. You'll keep your PIN
separate, of course, and use the two just like on commercial tokens.

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list