SecurID
Dan Kaminsky
dankamin at cisco.com
Tue Mar 20 10:02:55 EST 2001
> On Mon, 19 Mar 2001, Jeff Blaine wrote:
>
> > I'm not committing to anything yet, but is this something that will
> > be welcome if I do it? ... or shall I just hack the source again
> > to turn auth_password into something that does SecurID only for
> > our specific needs. Seems silly.
>
> I won't speak for Markus or the other OpenBSD developers, but I don't
> believe we should include code for proprietary authentication systems
> into OpenSSH.
I'd personally be tempted make an exception for cryptographic
hardware--beyond FIPS140 certification not being trivial to build nor
achieve, they operate in a domain outside of software while directly
contributing to the OpenSSH mission of increased security.
Beyond even the migration convenience that interfaces to proprietary
interfaces gives us(incidentally--do you have an objection to Cygwin? Or
even SSH on AIX?), the primary issue with proprietary *anything* is that its
usually grossly insecure and completely unaudited. Can we say the same for
authentication systems?
Biometric gadget APIs...yeah, probably insecure. SecureID, though? The
best argument against it--the secret hash function--was eliminated a few
months back. The only proprietary elements left are the secret keys and the
remote API.
Now, it is arguable that such access could, or even should be mediated
through the OS's PAM subsystem...but PAM isn't available for all operating
systems, and is an external dependancy in and of itself.
As a security administrator, I cannot argue that SecureID should be
suppressed simply because it's proprietary--it clearly improves security in
certain domains. I would argue that introducing even an optional dependancy
on a library we did not right is a major step, one that I'd like to avoid if
at all possible.
So, Damien--would you have any objection to a SecureID interface that simply
spoke the correct material on the wire to the central authentication server,
but never linked in proprietary APIs?
I speak only for myself, of course :-)
Yours Truly,
Dan Kaminsky, CISSP
http://www.doxpara.com
More information about the openssh-unix-dev
mailing list