RE: ssh password *and* key
From: Mark Senior (Mark.Senior_at_gov.ab.ca)
Date: 07/11/05
- Previous message: Tay, Gary: "RE: OpenSSH/kerberos compile problem."
- Maybe in reply to: yyyyy50_at_hotpop.com: "ssh password *and* key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Jul 2005 09:02:28 -0600 To: <yyyyy50@hotpop.com>
I know this isn't answering your question, and I apologize for that.
The private key doesn't actually provide a second authentication factor
- it's a static piece of information, which an attacker could get a copy
of, without depriving the legitimate user of it. In that way, it's more
like another password.
You're not really asking for something you know + something you have -
you're asking for something you know + something else you know (though
the second thing you don't actually know from memory, only if you have a
copy of it handy).
If you want to require something the user has, it must be a physical
object that they would notice if it went missing.
RSA Secure ID tokens have this property (as long as the PRNG in those
things remains unbroken). Not that RSA's device is the only way to go,
it's just the only one I'm familiar with.
Regards
Mark
> -----Original Message-----
> From: yyyyy50@hotpop.com [mailto:yyyyy50@hotpop.com]
> Sent: July 9, 2005 02:31
> To: secureshell@securityfocus.com
> Subject: ssh password *and* key
>
> Running SSH v4.1.
>
> Is there any way to have this version of SSHd require both
> password *and* rsa key authentication, thus conforming to two
> out of three of the basic security access concepts: (who you
> are - retinal scan, fingerprints; what you have - card key,
> private encrypted key; what you know - password).
>
> I understand that the key itself can be protected by
> password, but it would be nice to have the sshd daemon also
> protect itself, if possible.
>
>
>
>
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.
- Previous message: Tay, Gary: "RE: OpenSSH/kerberos compile problem."
- Maybe in reply to: yyyyy50_at_hotpop.com: "ssh password *and* key"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
