Hello, I have to find a solution logon through OpenSSH to OpenBSD machines from anywhere in the world (unsave computers). So I think I must use a challenge-response system with an hardware token that isn't connected to the computer. I do not want to use a RSA ACE/SERVER, so i can't use SecurID ? I can't use challenge response mode with cryptocard, because I want to protect it against an attacker that can break DES. Is it possible to use ActivCard with OpenSSH and OpenBSD ? Are there other solutions ? Is there anyone who can help me ? Thanx,>SecurID is probably the easiest (for you and your users). Cryptocard is >probably the cheapest. Activcard is probably the hardest to implement.>I'd say they are all within the realm of "good". Don't use challenge >response mode with cryptocard if you wish to protect against an attacker >that can break DES. Your users won't like challenge/response mode anyway.>Funny thing, cryptocard can store 3 keys and so could do 3DES if they >wanted, or they could do a 2-key scheme which is unbreakable with any >computing power. Oh well. I think I'll patent that and license it back >to them. :-\Lourens Bordewijk Fox-IT Forensic IT Experts B.V. Oude Delft 47 2611 BC Delft Tel: 015 - 21 91 111 ________________________________________________________ http://www.fox-it.com ________________________________________________________
On Thu, Apr 04, 2002 at 01:32:33PM +0200, Lourens Bordewijk wrote:> Hello, > > I have to find a solution logon through OpenSSH to OpenBSD machines from > anywhere in the world (unsave computers). So I think I must use a > challenge-response system with an hardware token that isn't connected to the > computer. I do not want to use a RSA ACE/SERVER, so i can't use SecurID ? I > can't use challenge response mode with cryptocard, because I want to protect > it against an attacker that can break DES. Is it possible to use ActivCard > with OpenSSH and OpenBSD ? Are there other solutions ?So use synchronous mode with cryptocard. Or yes, you can use activcard. You will have to use their server (sounds like you don't want to do that) or buy their dev kit which is a bit pricy and then write a lot of code. /fc