Looking for Special Challenge-Response Auth PAM Module, or Similar
Jochen.Bern at binect.de
Tue Aug 23 23:15:47 AEST 2022
Hello everyone, I hope that it is acceptable to post an only *halfway*
relevant request to the OpenSSH mailinglist ...
These days, I was sent to do on-site maintenance on one of the Linux
based appliances we make. The local admin led me to a rack and pointed
to the KVM unit, with the screen showing the appliance's login prompt -
no network access for my laptop, no physical access to the appliance
(nowhere to be seen), please type your appliance's maintenance password
into our hardware. Didn't much like that, and the surveillance camera a
foot and a half above the keyboard didn't help any, either.
So now I'm looking for a new (additional), replay-attack-safe
authentication method to add to the product. Searched the web for
"challenge-response" and "PAM" (so that it'll also work with sshd if
needed), and so far, everything remotely acceptable seems to go back to
three basic principles:
-- Tokens like Yubikeys, which wouldn't have worked here thanks to no
-- HOTP, which would lack the *single* strictly-(de|in)creasing counter
to be replay safe (snarf response used on a "well worn" appliance,
replay it on one with a "younger" counter, unless we start shipping
appliances with *individual* secrets to boot).
-- TOTP, which *would* be replay safe - if only our appliances weren't
meant to sync against the customers' own NTP servers, so that their time
can trivially be off or downright manipulated.
What I'm looking for is a solution where the appliance would prompt with
a *randomly chosen* challenge, random enough to make it unfeasible to
try and wait for the challenge to repeat, the technician types the
challenge into some device of his own (laptop, if need be), types the
response displayed back into the appliance, and hey, nice camera you
have there making an *entirely useless* recording.
Would anyone here happen to know of such a beast?
Thanks in advance,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
More information about the openssh-unix-dev