2005-04-01, p keltezéssel 00.12-kor Dan Margolis ezt Ãrta:
> >
> > Use smartcard / USB token. If it is in your pocket, nobody can use your
> > account. You can get one about 30 euros.
>
> How does this work? If it's a smartcard, you need all machines you'll
> log in from to have smartcard readers. USB obviates this, for sure, but
> I'm curious how secure those devices are.
>
> To securely integrate them with SSH, one would want to allow only public
> key auth and store the secret key on the token, which would itself hash
> the nonce and handle the authentication in-hardware without ever
> exposing the key to the client computer. I'm skeptical that the
> off-the-shelf hardware available on the cheap does this. Does it?
>
> Speaking from curiosity and ignorance here.
I have experience with Axalto Cryptoflex 32k e-gate product
(
http://www.axalto.com/infosec/egate.asp ) but I think it works the
same way with every openct / opensc supported cards. As you can see in
the Axalto's on-line store, 5 pieces of this card with the token
connectors costs USD $110 + shipping. (The cards are sold in packs of
5).
- This is a real smartcard. When you personalise it the card generates
the RSA key-pair, and the secret key never leaves the card.
- On the server side you need to compile openssh with x509 and ldap
support. You can put your users public keys to an ldap directory
(openldap works well), and ssh can authenticate with it.
- On client side you need to compile ssh with smartcard support, and
need a running openct as well. You start an ssh connection like this:
ssh -I 0 x.x.x.x (-I 0 means use the first smartcard). Of course openct
asks your PIN code before connected. During the authentication the
secret key dosen't leave the card. (Anyway, there are no known methods
to read the secret key itself).
- If you enable agent forwarding, you can go through multiple ssh "hops"
with the smartcard in your desktop computer, so you don't need to add
any user to your authorized_keys. This is useful, when you don't trust
some of the middle hops' administrators. Of course, this is not a
smartcard feature but an ssh feature, and you can use this with the good
old public key authentication as well.
>
--
Ãœdv:
Jo-Hans
--
gentoo-security@gentoo.org mailing list