Re: two factor authentication
This is a discussion on Re: two factor authentication within the OpenSSH Development forums, part of the Networking and Network Related category; On Sun, Jul 23, 2006 at 01:32:46PM +1000, Darren Tucker wrote: > William Ahern wrote: > > On ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-23-2006
|
|||
|
|||
Re: two factor authentication
On Sun, Jul 23, 2006 at 01:32:46PM +1000, Darren Tucker wrote:
> William Ahern wrote: > > On Sun, Jul 23, 2006 at 10:16:12AM +1000, Darren Tucker wrote: > >> Going back to the first part: while requiring both password and > >> public-key would probably improve security, personally I think the > >> private key is another instance of "something you know" (although with > >> the useful property of being able to prove you know it without > >> disclosing it) since it can be copied, printed out, emailed... > > > > Excluding public keys exported from a smart card. For real smart cards (i.e. > > not USB memory sticks w/ a PKCS#11 library), the private key is not known > > even by the user holding the card (unless you work at IBM and own an > > electron scanning microscope). > > That's true, and I should have mentioned it. My statement above applies > only to the standard file-based public-key authentication (ie > ~/.ssh/id_rsa and friends). > Personally, I don't like passwords, nor do I care much about "two-factor" authentication (PINs aren't a step forward, maybe a fingerprint scanner on the key fob itself...). What I do care about is removing passwords from the equation entirely. And it's a pain and a half to get OpenSSH working w/ OpenSC, and even more of a pain to actually get OpenSC to work! WRT to OpenSC, I've never seen so much code and so much labour amount to so little (that's not to slight OpenSC developers, but it does speak to the abysmal state of the smart card market; it's so close but so useless it's maddening). OpenSSH actually shipping w/ workable smart card configurations would, I think, have a similar effect on the state of computer security as when OpenSSH killed telnet. It would light a rocket under the whole software ecosystem. I can easily imagine Mozilla/Firefox following (yes, it has PKCS#11 support, but the middleware isn't there), and then the skies the limit. Everything else has already been SSL'ized, so the hard work is done for POP, IMAP, etc. Here at work I've been pushing to move toward smart cards (I have a pack of Schlumberger Cryptoflex's on my desk) for a long time, but I can't sell it to my bosses because the implementation path isn't clear enough (need Windows and Linux and OS X client software). We rely on SSH heavily (multiple implementations), so akward and proprietary RSA Security solutions are out of the question. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://lists.mindrot.org/mailman/lis...enssh-unix-dev 
|
Linear Mode
