Hi, I had a contractor write a patch to allow CryptoCard support in OpenSSH. It works with portable openssh-2.1.1p4, and it was posted to the SSH mailing lists, but I see that it hasn't been included in the openssh-2.2.0p1 release. Would it be possible to include this patch in the official release? The reason why I ask is because it will not be difficult to do that, it will support the CryptoCard users, and I don't want to have to hire a contractor again every time a new version of OpenSSH comes out. Btw, the patch is under the same license as OpenSSH itself, so there is no problem with licensing. Also, PuTTY, which is a free open-source SSH client for windows, and which works with OpenSSH, also now has CryptoCard support. I also hired the author of that program to include it. Here is the patch for openssh-2.1.1p4: http://www.sidereal.kz/~hh/openssh-cryptocard.patch.gz Please let me know if it will be possible to include this patch in future releases. If there are specific reasons why it can't be, please let me know, because maybe I can address them. Otherwise I will ask our contractor to update the patch for them. Thanks, e
Hi, I tried to find a note about CryptoCard support on the web page of PuTTY but I couldn't find it... How should I configure it? Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de>>> erich <hh at sidereal.kz> 13.09.2000 06:10:19 >>>Hi, I had a contractor write a patch to allow CryptoCard support in OpenSSH. It works with portable openssh-2.1.1p4, and it was posted to the SSH mailing lists, but I see that it hasn't been included in the openssh-2.2.0p1 release. Would it be possible to include this patch in the official release? The reason why I ask is because it will not be difficult to do that, it will support the CryptoCard users, and I don't want to have to hire a contractor again every time a new version of OpenSSH comes out. Btw, the patch is under the same license as OpenSSH itself, so there is no problem with licensing. Also, PuTTY, which is a free open-source SSH client for windows, and which works with OpenSSH, also now has CryptoCard support. I also hired the author of that program to include it. Here is the patch for openssh-2.1.1p4: http://www.sidereal.kz/~hh/openssh-cryptocard.patch.gz Please let me know if it will be possible to include this patch in future releases. If there are specific reasons why it can't be, please let me know, because maybe I can address them. Otherwise I will ask our contractor to update the patch for them. Thanks, e
hh at sidereal.kz said:> I had a contractor write a patch to allow CryptoCard support in > OpenSSH. [...] Would it be possible to include this patch > in the official release?I think for platforms supporting PAM this patch is not necessary because you can just use the respective PAM module. Moreover, introducing new authentication types (instead of plugging into password or TIS authentication) always has the disadvantage of not interoperating with versions of ssh that have not been patched. -Hein
On 13 Sep, Hein Roehrig wrote:> hh at sidereal.kz said: >> I had a contractor write a patch to allow CryptoCard support in >> OpenSSH. [...] Would it be possible to include this patch >> in the official release? > > I think for platforms supporting PAM this patch is not necessary > because you can just use the respective PAM module. Moreover, > introducing new authentication types (instead of plugging into > password or TIS authentication) always has the disadvantage of not > interoperating with versions of ssh that have not been patched.I agree 100%. This is also exactly why we wrote the keyboard-interactive authentication protocol for ssh2. This protocol adds generic support for all sorts of authentication methods which only needs to interact with the user on the client-side. The user may then act as an interface to whatever device one wishes to use. /MaF PS I will submit a new and updated draft (error corrections only) of keyboard-interactive as soon as I find the time.
Hi, Since I'm not on this list I'll quote :) ----------------------------------------------------------------------------- Hein Roehrig wrote:>> I think for platforms supporting PAM this patch is not necessary >> because you can just use the respective PAM module.>Suppose I decided to have people log on to my systems using CRAM-MD5. >How could I implement that as a PAM module? I could implement the >server end using PAM, but I couldn't do the client end. The user >would have to have some separate program to calculate the MAC, and >then cut and paste the result into ssh.PAM just writes text to the terminal, and ask for responses. What the module actually does with it is of no interest to PAM. I've programmed about everything with it you an think of. You indeed would have to have a program that calculates the response, but that also applies to CryptoCard, bioscans, etc, etc.>> I agree 100%. This is also exactly why we wrote the >> keyboard-interactive authentication protocol for ssh2. [ ... ] The >> user may then act as an interface to whatever device one wishes to >> use.>Agreed, but this isn't very convenient. What would be nice is some >kind of PAM-like system that works on the client. Then you have a >CRAM-MD5 module on the server, and they authenticate the user by >talking between themselves. The client module asks the user for the >MAC secret, accepts a challenge from the server and sends back the >response. The server PAM module then logs the user in (or not).Above scenario is no problem at all. Nothing prevents you from letting the client talk to the server in that case.>Hopefully next weekend I will have time to get the OpenPGP stuff into >a reasonably usable state...Regards, Igmar Palsenberg JDI Media Solutions -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar
On 13 Sep 2000, erich wrote:> Please let me know if it will be possible to include this patch in > future releases. If there are specific reasons why it can't be, > please let me know, because maybe I can address them. Otherwise I > will ask our contractor to update the patch for them.I am not particularly keen on putting code into OpenSSH to support proprietary authentication technologies. In any case, changes to the protocol (which this is) should be sent via the OpenBSD maintainers. I doubt they would accept the patch in its current form - it uses functions only present in the portable version. -d -- | ``The power of accurate observation is | Damien Miller <djm at mindrot.org> | commonly called cynicism by those who | @Work <djm at ibs.com.au> | have not got it'' - George Bernard Shaw | http://www.mindrot.org
On 14 Sep 2000, erich wrote:>> I am not particularly keen on putting code into OpenSSH to support >> proprietary authentication technologies. > > CryptoCard is absolutely not in any way a proprietary authentication > technology. It is a plain and simple DES ECB encryption of the input, > using a key which is stored in the device. The first 4 bytes of the > output are then displayed in hex.The current implementation is a ANSI X9.9, and is a supported mode on almost all hardware tokens. Specific mode for tokens are not supported, and probably will never, since all manufacturers refuse to give me any information.>> In fact, I have also hired someone >> to write a CryptoCard emulator for the Palm Pilot, and the resulting >> code will also be under GPL. Contrast this with RSA, which is in fact >> a proprietary authentication technology, and which OpenSSH supports by >> default.>I was mistaken about Cryptocard, my apologies. Calling RSA proprietary >is a drawing a bit of a long bow though.>> In any case, changes to the protocol (which this is) should be sent >> via the OpenBSD maintainers. I doubt they would accept the patch in its >> current form - it uses functions only present in the portable version.Which one ?? It isn't using anything weard as far is I can see.>> Who can I talk to about this? Should I send it to the OpenBSD core >> team?> There are several on the list, otherwise you can contact them direct at > openssh at openbsd.org.I've contacted them, but no reply unfortunately.> Regards, > Damien MillerRegards, Igmar -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar