Re: Challenge/response authentication

Smythe de Winter <sdw@xxxxxxxxx> writes:
Looking into the OpenSSH documentation, it explicitly indicates that
the SSH client can support such an authentication mechanism by setting the
symbol ChallengeResponseAuthentication appropriately in the client's
configuration file.
[...]
However, what is not specified is how the SSH server and client select
the particular challenge/response method supported, and there exist quite
a few different ones in principle allowed. Things would also seem to imply
that external modules are required for challenge/response authentication
with OpenSSH; is this true?
[...]
Finally, I also find it a bit confusing that neither the SSH V1
protocol nor the SSH V2 protocol standard documents mention
challenge/response authentication as one of the protocol supported
authentication mechanisms.
[...]
Can anybody throw some light on all this?

OpenSSH's "ChallengeResponseAuthentication" appears to map on to
protocol features as follows:

* In SSH-1, it maps on to "TIS authentication", which is specified in
the nearest thing SSH-1 has to a standard, a copy of which is at
<http://www.snailbook.com/docs/protocol-1.5.txt>.

* In SSH-2, it maps on to "keyboard-interactive authentication", which
while not technically one of the "core" SSH-2 RFCs, is specified in
RFC 4256 and widely implemented.

Both of these are authentication methods where (slightly simplified) the
server sends strings (challenges) to the client, the client displays
them to the user verbatim, the user enters a response, and the client
sends that response to the server. The client knows nothing about the
semantics of the challenge or response, it's just shovelling data
between the server and the user.

So, to use a particular form of challenge-response authentication (such
as S/Key), all you need to do is configure the server to use it as a
backend (a process I know little about, but I wouldn't be surprised if
PAM is involved in many cases), and any client implementing the above
methods will be able to use it.
.

Relevant Pages

  • Re: Challenge/response authentication
    ... SSH client can support such an authentication mechanism by setting the ... the particular challenge/response method supported, ...
    (comp.security.ssh)
  • RE: How to Authenticate to WCF Service Via VPN
    ... \par Microsoft MSDN Online Support Lead ... He launches Cisco Systems VPN Client and authenticates as ... \par> includes the service account identity as a user principal name. ... \par> mutual authentication is assumed. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: WCF authentication and remote workstations
    ... As for the WCF communcation scenario in your context, would you provide some further information about the binding and security configuration of the service/endpoint. ... For example, are you using transport layer security, let the runtime forward the windows credential automatically for use message laye security(such as username authentication to authenticate the client)? ... For the first one(windows authentication that let the client automatically forward the client security context(the current logon user). ... We welcome your comments and suggestions about how we can improve the support we provide to you. ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: How to Authenticate to WCF Service Via VPN
    ... However, assigning ... He launches Cisco Systems VPN Client and authenticates as ... Microsoft MSDN Online Support Lead ... mutual authentication is assumed. ...
    (microsoft.public.dotnet.framework.webservices)
  • RE: Transferring membership parameters
    ... one local app that you have API access for the authentication ... NET) to perform programmtic login or user registering. ... Microsoft MSDN Online Support Lead ... I have a client who wants a solution for the following problem. ...
    (microsoft.public.dotnet.general)