Looking for Special Challenge-Response Auth PAM Module, or Similar

Michael Ströder michael at stroeder.com
Wed Aug 24 01:08:41 AEST 2022


On 8/23/22 15:15, Jochen Bern wrote:
> -- HOTP, which would lack the *single* strictly-(de|in)creasing counter 
> to be replay safe (snarf response used on a "well worn" appliance, 
> replay it on one with a "younger" counter, unless we start shipping 
> appliances with *individual* secrets to boot).
> 
> -- TOTP, which *would* be replay safe - if only our appliances weren't 
> meant to sync against the customers' own NTP servers, so that their time 
> can trivially be off or downright manipulated.
> 
> What I'm looking for is a solution where the appliance would prompt with 
> a *randomly chosen* challenge, random enough to make it unfeasible to 
> try and wait for the challenge to repeat, the technician types the 
> challenge into some device of his own (laptop, if need be), types the 
> response displayed back into the appliance, and hey, nice camera you 
> have there making an *entirely useless* recording.

OCRA?
(also one of the OATH standards)

https://www.rfc-editor.org/rfc/rfc6287

Ciao, Michael.



More information about the openssh-unix-dev mailing list