Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ssh password *and* key

from [Mark Senior] Network Security [Permanent Link]
Subject: RE: ssh password *and* key
Date: Mon, 11 Jul 2005 09:02:28 -0600 
I know this isn't answering your question, and I apologize for that.

The private key doesn't actually provide a second authentication factor
- it's a static piece of information, which an attacker could get a copy
of, without depriving the legitimate user of it.  In that way, it's more
like another password.

You're not really asking for something you know + something you have -
you're asking for something you know + something else you know (though
the second thing you don't actually know from memory, only if you have a
copy of it handy).

If you want to require something the user has, it must be a physical
object that they would notice if it went missing.  

RSA Secure ID tokens have this property (as long as the PRNG in those
things remains unbroken).  Not that RSA's device is the only way to go,
it's just the only one I'm familiar with.

Regards
Mark
 


-----Original Message-----
From: yyyyy50@hotpop.com [mailto:yyyyy50@hotpop.com] 
Sent: July 9, 2005 02:31
To: secureshell@securityfocus.com
Subject: ssh password *and* key

Running SSH v4.1.

Is there any way to have this version of SSHd require both 
password *and* rsa key authentication, thus conforming to two 
out of three of the basic security access concepts: (who you 
are - retinal scan, fingerprints; what you have - card key, 
private encrypted key; what you know - password).  

I understand that the key itself can be protected by 
password, but it would be nice to have the sshd daemon also 
protect itself, if possible.






This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.


This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: OpenSSH/kerberos compile problem., Tay, Gary
Next by Date:  OpenSSH 3.8 'resource temporarily unavailable' error on windows 2k, 毛砚秋
Previous by Thread:  ssh password *and* key, yyyyy50
Next by Thread:  Re: OpenSSH/kerberos compile problem., Simon Wilkinson
Indexes:  [Date] [Thread] [Top] [All Lists]