Looking for Special Challenge-Response Auth PAM Module, or Similar
b.candler at pobox.com
Wed Aug 24 00:56:38 AEST 2022
On 23/08/2022 14:15, Jochen Bern wrote:
> What I'm looking for is a solution where the appliance would prompt
> with a *randomly chosen* challenge, random enough to make it
> unfeasible to try and wait for the challenge to repeat, the technician
> types the challenge into some device of his own (laptop, if need be),
> types the response displayed back into the appliance, and hey, nice
> camera you have there making an *entirely useless* recording.
> Would anyone here happen to know of such a beast?
You mean something like SCRAM implemented as a PAM module? I can't
think of one off hand, but there's always pam_exec which is pretty easy
to plug into.
It might be possible to use pam_sasl
<http://www1.maths.leeds.ac.uk/~pmtvlm/pam-sasl.html> together with a
SASL challenge-response auth method
You mentioned Yubikeys. Depending on the flavour of key, they implement
a range of different auth methods, some of which are suitable for
keyboard use; that is, you don't need to plug them directly into the
You've already ruled out Yubi OTP mode and HOTP mode, but there is also
a HMAC-SHA1 type of challenge-response. I found two modules: the
and http://www.average.org/chal-resp-auth/. Both are stateful to avoid
storing the secret in cleartext on the server, so may suffer from the
same replay attacks you discussed - but I haven't investigated in
detail. It might be possible to use the same secret on all targets, but
seed them with different challenges.
Aside: I did once play with a PAM module which allows manual U2F
challenge/response over ssh keyboard-interactive authentication. What
happened was, you'd connect via ssh and it would spit out a long
challenge. You paste this into a local client app, and press the button
on your U2F key. The client spits out a long response, and you paste it
back into the ssh session. Bingo.
It did actually work - but unfortunately the strings were way too long
to be practical over a KVM without copy-paste.
Ah yes... even documented it on github :-)
More information about the openssh-unix-dev