Bug 1438

Summary:

Adds an out-of-band challenge (OBC) authentication method (via kbdint)

Product:

Portable OpenSSH

Reporter:

Paul Sery <pgsery>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED WONTFIX

Severity:

normal

CC:

djm

Priority:

Keywords:

patch

Version:

4.7p1

Hardware:

All

OS:

Linux

Attachments:

Description	Flags
Adds an out-of-band challenge (obc) device to kbdint	none

Description Paul Sery 2008-02-06 16:39:46 AEDT

Created attachment 1452 [details]
Adds an out-of-band challenge (obc) device to kbdint

The out-of-band challenge (OBC) patch creates a kbdint device that provides a server-based authentication mechanism. The server generates and emails you a random string when you attempt to login. You're authenticated if you can correctly answer the challenge.

You can use a regular email account, a pager, cell phone or other email capable device to receive the challenge. However, by using a physical device you create a one-time authentication secret completely separate from your workstation.

OBC can be used in conjunction with the "Multiauth" patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1435), which allows you to require two or more authentications for a successful login. Combining OBC with Multiauth creates two physically separate authentication factors equivalent to a commercial two-factor token. For instance, requiring public key and OBC authentications creates physically separate factors.

See README.obc for configuration and installation information

Comment 1 Damien Miller 2008-06-13 13:58:00 AEST

We don't want to add more kbdint methods - it is better to use a cross-platform authentication API like PAM or BSD auth.

Comment 2 Damien Miller 2008-07-22 12:21:00 AEST

Mass update RESOLVED->CLOSED after release of openssh-5.1