Looking for Special Challenge-Response Auth PAM Module, or Similar
Brian Candler
b.candler at pobox.com
Wed Aug 24 17:30:30 AEST 2022
On 23/08/2022 22:42, Jochen Bern wrote:
> On 23.08.22 16:56, Brian Candler wrote:
>> You mean something like SCRAM implemented as a PAM module?
>
> Looks promising from the algorithm POV ... !
>
>> It might be possible to use pam_sasl [...] together with a SASL
>> challenge-
>> response auth method [...] like SCRAM.
>
> cyrus-sasl-scram seems to be available from standard OS repos,
> pam_exec comes with the default PAM installation. pam_sasl (or a SASL
> client to use with pam_exec, I don't see testsaslauthd allowing for
> presenting and processing a challenge first) I'll have to look into ...
>
If this is just to protect a single account, say an "engineer" login,
you could just make the user's login shell be a small program which does
the challenge/response, and then execs the real shell if successful.
I rather like the QR code idea given by someone else:
* generate a small random value (e.g. 6-digit PIN)
* encrypt it with public key
* show the encrypted value as a QR code
* user decrypts it and types in the decrypted value
* permit login if they match
No secret information needs to be stored on the target system at all,
and they can all be identical.
More information about the openssh-unix-dev
mailing list