1439 – Adds Virtual Token (VToken) authentication method to kbdint

Bug 1439 - Adds Virtual Token (VToken) authentication method to kbdint

Summary: Adds Virtual Token (VToken) authentication method to kbdint

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	4.7p1
Hardware:	All Linux

Importance:	P2 normal
Assignee:	Assigned to nobody

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2008-02-08 17:16 AEDT by Paul Sery
Modified:	2008-07-22 12:21 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
Virtual Token (VToken) challenge authentication method (27.90 KB, patch) 2008-02-08 17:59 AEDT, Paul Sery	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paul Sery 2008-02-08 17:16:28 AEDT

The Virtual Token (VToken) patch adds a kbdint device that provides a new challenge-based authentication mechanism. The server calculates a challenge from two secrets and a counter. You authenticate by proving that you know the secrets by correctly answering the challenge. This creates a software-based token, similar in function to commercial ones, that can be run from your workstation or better yet, ubiquitous devices such as PDAs, cell phones, calculators, and even pen and paper.

VToken has the advantage of not only using cheap, generic devices but also not being network-aware. Commercial tokens can only be used on networks configured with a significant amount of dedicated infrastructure; they're network-based. VToken can be from on any machine running OpenSSH and a properly configured sshd_config file; it's a host-based system.

The current challenge is a place-holder for a more rigorous one. It uses the simple equation: Challenge=Secret*Counter Mod(PIN). The secret is designed to be embedded in the virtual token, while you must keep the PIN secret; the counter protects against replay attacks. Taking the modulus of the product maps the answer into a number set (or something like that) that . Ultimately, the calculation should probably be done by taking the hash of the combined terms (anyone who captures the current challenge will be able to calculate the secrets using brute force).

vtoken.c is an example virtual token app. It prompts you for your PIN and calculates the challenge response from the secret, which is embedded in it's source.

VToken in it's present form should be used in conjunction with the "Multiauth" patch (https://bugzilla.mindrot.org/show_bug.cgi?id=1435), which allows you to use multiple authentication methods to log into a machine. You'll want to use Pubkey together with VToken.

In the future, VToken will by itself will provide two-factor authentication. The secret will be embedded in the app and effectively be embedded in your PDA, cell phone, etc. You'll keep your PIN separate, of course, and use the two just like on commercial tokens.

Comment 1 Paul Sery 2008-02-08 17:59:52 AEDT

Created attachment 1453 [details]
Virtual Token (VToken) challenge authentication method

Comment 2 Darren Tucker 2008-06-15 03:57:50 AEST

Thanks, but we won't be implementing any additional experimental challenge response authentication methods in the base code.  If you want to do something like this, you may want to do it through one of the platform methods such as PAM bsdauth.  Alternatively, you could implement the skey interface and point configure that.

Comment 3 Damien Miller 2008-07-22 12:21:06 AEST

Mass update RESOLVED->CLOSED after release of openssh-5.1