Hello, I was searching the internet for an challenge-response system to authenticate an Openssh session with an hardware token. Now i found this, its very old, so i want to now how's the situation today. I couldn't find much documentation. Re: SSH with SecureID> Is there any documentation I'm missing on how to integrate the two? > We'd love to go with 2-factor authentication, but we want to make > sure our traffic remains encrypted. Any solutions? >>We are doing exactly such thing. I did not want to make mistake of mostchallenge responce systems which run in clear-text on insecure solaris machines (god knows I seen many of> those). We are using Cryptocard from <http://www.cryptocard.com> -- thechallenge response system is working over ssh using TIS Authentication. All windows people have to use>SecureCRT since F-Secure windows client does not do TIS. Unix does it bydefault (just -o 'TISAuthenticaion yes'). So you get: 63-jkb(nautilus)% ssh proxy Challenge: 05293424 >Enter Response: We are running the system on FreeBSD and use radius -- so sshd in fact becomes radius client when it needs to authenticate. So far everything seem to work just>great. Feel free to ask me in private if you need more details/info.Thanks, I read that it worked with openssh (that there are patches for it), If it's posible , what's the safest hardware token that i can/should i use? Activcard One? Cryptocard ? Is there a document that explains exactly the situation i want to use or how i can implement it ? Thanx in advance, Lourens bordewijk
On Thu, Mar 28, 2002 at 09:55:49AM +0100, Lourens Bordewijk wrote:> Hello, > > I was searching the internet for an challenge-response system to > authenticate an Openssh session with an hardware token. Now i found this, > its very old, so i want to now how's the situation today. I couldn't find > much documentation.[...]> I read that it worked with openssh (that there are patches for it), If it's > posible , what's the safest hardware token that i can/should i use? > Activcard One? Cryptocard ? Is there a document that explains exactly the > situation i want to use or how i can implement it ?Your question is off topic for openssh, but that said, there probably are folks here with good experience with those cards. SecurID is probably the easiest (for you and your users). Cryptocard is probably the cheapest. Activcard is probably the hardest to implement. I'd say they are all within the realm of "good". Don't use challenge response mode with cryptocard if you wish to protect against an attacker that can break DES. Your users won't like challenge/response mode anyway. Funny thing, cryptocard can store 3 keys and so could do 3DES if they wanted, or they could do a 2-key scheme which is unbreakable with any computing power. Oh well. I think I'll patent that and license it back to them. :-\ /fc
On Thu, Mar 28, 2002 at 09:55:49AM +0100, Lourens Bordewijk wrote:> I read that it worked with openssh (that there are patches for it), If it's > posible , what's the safest hardware token that i can/should i use? > Activcard One? Cryptocard ? Is there a document that explains exactly the > situation i want to use or how i can implement it ?I use cryptocard w/ OpenSSH on OpenBSD with protocol 1's TIS message and keyboardinteractiv in protocol 2. Supporting cryptocard on other platforms is not hard and would be simple if you port the token handling from BSD_AUTH.