openssh bugs - Feb 2008 - [Bug 1439] New: Adds Virtual Token (VToken) authentication method to kbdint

https://bugzilla.mindrot.org/show_bug.cgi?id=1439

           Summary: Adds Virtual Token (VToken) authentication method to
                    kbdint
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 4.7p1
          Platform: All
        OS/Version: Linux
            Status: NEW
          Keywords: patch
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: pgsery at swcp.com


The Virtual Token (VToken) patch adds a kbdint device that provides a
new challenge-based authentication mechanism. The server calculates a
challenge from two secrets and a counter. You authenticate by proving
that you know the secrets by correctly answering the challenge. This
creates a software-based token, similar in function to commercial ones,
that can be run from your workstation or better yet, ubiquitous devices
such as PDAs, cell phones, calculators, and even pen and paper. 

VToken has the advantage of not only using cheap, generic devices but
also not being network-aware. Commercial tokens can only be used on
networks configured with a significant amount of dedicated
infrastructure; they're network-based. VToken can be from on any
machine running OpenSSH and a properly configured sshd_config file;
it's a host-based system.

The current challenge is a place-holder for a more rigorous one. It
uses the simple equation: Challenge=Secret*Counter Mod(PIN). The secret
is designed to be embedded in the virtual token, while you must keep
the PIN secret; the counter protects against replay attacks. Taking the
 modulus of the product maps the answer into a number set (or something
like that) that . Ultimately, the calculation should probably be done
by taking the hash of the combined terms (anyone who captures the
current challenge will be able to calculate the secrets using brute
force).

vtoken.c is an example virtual token app. It prompts you for your PIN
and calculates the challenge response from the secret, which is
embedded in it's source.

VToken in it's present form should be used in conjunction with the
"Multiauth" patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1435),
which allows you to use multiple authentication methods to log into a
machine. You'll want to use Pubkey together with VToken.

In the future, VToken will by itself will provide two-factor
authentication. The secret will be embedded in the app and effectively
be embedded in your PDA, cell phone, etc. You'll keep your PIN
separate, of course, and use the two just like on commercial tokens.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1439





--- Comment #1 from Paul Sery <pgsery at swcp.com>  2008-02-08 17:59:52
---
Created an attachment (id=1453)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1453)
Virtual Token (VToken) challenge authentication method

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1439


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX
                 CC|                            |dtucker at zip.com.au




--- Comment #2 from Darren Tucker <dtucker at zip.com.au>  2008-06-15
03:57:50 ---
Thanks, but we won't be implementing any additional experimental
challenge response authentication methods in the base code.  If you
want to do something like this, you may want to do it through one of
the platform methods such as PAM bsdauth.  Alternatively, you could
implement the skey interface and point configure that.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1439


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED




--- Comment #3 from Damien Miller <djm at mindrot.org>  2008-07-22
12:21:06 ---
Mass update RESOLVED->CLOSED after release of openssh-5.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.