OpenBSD Journal

CRYPTOcard with OpenBSD's BSD Auth system?

Contributed by Dengue on from the I-got-this-card-see. dept.

Dan Weeks writes : "I have searched around but have yet to find any information about the new BSD Auth system and its configuration or use with the CRYPTOcard challenge/response system. We are looking to implement the CRYPTOcard system and I would like to know if anyone has had any experience with it or if anyone could point to any further documentation on the matter.


(Comments are closed)

  1. By Hans Insulander () on

    It shouldn't be too hard to implement this in the BSD authentication subsystem that will be shipped in OpenBSD 3.0.

    Jim Rees is also working on smartcard support that will ship in 3.0, and you'd a driver for your specific cardreader and card.

  2. By David Jorm () on

    Well, actually, cryptocard works with having a hardware (or sometimes software) token, which issues a response to a challenge issued by the authentication backend. The only piece of code required to integrate cryptocard with anything is an authentication module. For example, there are PAM modules, so you can make anything linux based authenticate against it, there are NT domain auth modules, MS Exchange modules, etc etc. The most obvious solution to me is getting PAM working, but I have no idea as to the feasibility of that with OpenBSD.

  3. By markus () on

    read cryptoinit(8), cryptoadm(8) and login.conf(5) on a current openbsd system and do

    # cryptoinit markus_friedl

    and try:

    # /usr/libexec/auth/login_crypto -d markus_friedl

    openssh, also supports CRYPTOcard authentication
    (enable ChallengeResponse, see ssh(1), sshd(8))

  4. By Kevin Kadow () on

    The cryptocard challenge-response is simply a variation on the standard SNK protocol. If you aren't set on licensing the token technology from Cryptocard, there are free implementations of SNK in Firewall Toolkit (FWTK) and other applications.

    I've tried just about all of the authentication tokens, and have deployed SNK, SafeWord, and SecurID. I've managed to integrate most of these into SSH and PAM without massive effort.

    I've found that in most cases the end-user is annoyed by Challenge-Respose systems and usually insist on Time Synchronous (SecurID) or Event Synchronois (various vendors, including Cryptocard).


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]