Looking for Special Challenge-Response Auth PAM Module, or Similar
michael at stroeder.com
Wed Aug 24 01:08:41 AEST 2022
On 8/23/22 15:15, Jochen Bern wrote:
> -- HOTP, which would lack the *single* strictly-(de|in)creasing counter
> to be replay safe (snarf response used on a "well worn" appliance,
> replay it on one with a "younger" counter, unless we start shipping
> appliances with *individual* secrets to boot).
> -- TOTP, which *would* be replay safe - if only our appliances weren't
> meant to sync against the customers' own NTP servers, so that their time
> can trivially be off or downright manipulated.
> What I'm looking for is a solution where the appliance would prompt with
> a *randomly chosen* challenge, random enough to make it unfeasible to
> try and wait for the challenge to repeat, the technician types the
> challenge into some device of his own (laptop, if need be), types the
> response displayed back into the appliance, and hey, nice camera you
> have there making an *entirely useless* recording.
(also one of the OATH standards)
More information about the openssh-unix-dev