Date: Tue, 2 Jun 1998 15:19:06 +0200 From: Eivind Eklund <eivind@yes.no> To: ark@eltex.spb.ru Cc: robert+freebsd@cyrus.watson.org, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG Subject: Re: d.eltex.spb.ru, freebsd-security@FreeBSD.ORG Message-ID: <19980602151906.20815@follo.net> In-Reply-To: <199806021547.PAA20263@paranoid.eltex.spb.ru>; from ark@eltex.spb.ru on Tue, Jun 02, 1998 at 03:47:56PM %2B0000 References: <19980602133226.00055@follo.net> <199806021547.PAA20263@paranoid.eltex.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 02, 1998 at 03:47:56PM +0000, ark@eltex.spb.ru wrote: > > > Don't know what is "SSH-1" protocol you are reffering to, but ssh > > > (at least versions 1.2.20 and newer) do support OTP and even > > > authentication server. > > > > Are you referring to the SecurID support? This is challenge-free, and > > this comment is from the third paragraph of README.SECURID in the ssh > > distribution: > > [dd] > > Nope, i mean TISAuthentication option which definitely _can_ be > challenge-based. Yes. It involves extensions to the protocol. I hadn't noticed this, so thanks for bringing it to my attention. I think it may be possible to hijack it to provide for s/key support. The support for TIS right now is really a kludge - it extend the protocol with messages that are special for TIS (SSH_SMSG_AUTH_TIS_CHALLENGE, SSH_SMSG_AUTH_TIS_CHALLENGE, SSH_AUTH_TIS, etc) instead of adding proper infrastructure to do challenges and then using that. It may stille be possible to abuse the kludge to do s/key - I'll see how pretty it turn out. BTW: Your mailreader (or something) has really screwed up the headers. I've cleaned them out, but it is something to be aware of. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980602151906.20815>