CRYPTOcard with OpenBSD's BSD Auth system?

Contributed by Dengue on 2001-06-27 from the I-got-this-card-see. dept.

Dan Weeks writes : "I have searched around but have yet to find any information about the new BSD Auth system and its configuration or use with the CRYPTOcard challenge/response system. We are looking to implement the CRYPTOcard system and I would like to know if anyone has had any experience with it or if anyone could point to any further documentation on the matter.

Thanks,
-dan"

(Comments are closed)

Comments

By Hans Insulander () hin@openbsd.org on 2001-06-29 21:52 mailto:hin@openbsd.org

It shouldn't be too hard to implement this in the BSD authentication subsystem that will be shipped in OpenBSD 3.0.

Jim Rees is also working on smartcard support that will ship in 3.0, and you'd a driver for your specific cardreader and card.
By David Jorm () davidj@unixpac.com.au on 2001-07-02 00:54 http://www.unixpac.com.au/

Well, actually, cryptocard works with having a hardware (or sometimes software) token, which issues a response to a challenge issued by the authentication backend. The only piece of code required to integrate cryptocard with anything is an authentication module. For example, there are PAM modules, so you can make anything linux based authenticate against it, there are NT domain auth modules, MS Exchange modules, etc etc. The most obvious solution to me is getting PAM working, but I have no idea as to the feasibility of that with OpenBSD.
By markus () markus@openbsd.org on 2001-07-02 21:07 mailto:markus@openbsd.org

read cryptoinit(8), cryptoadm(8) and login.conf(5) on a current openbsd system and do

# cryptoinit markus_friedl

and try:

# /usr/libexec/auth/login_crypto -d markus_friedl

openssh, also supports CRYPTOcard authentication
(enable ChallengeResponse, see ssh(1), sshd(8))
By Kevin Kadow () openbsd@msg.net on 2001-07-16 07:30 http://www.msg.net/utility/FWTK/#randomnumber

The cryptocard challenge-response is simply a variation on the standard SNK protocol. If you aren't set on licensing the token technology from Cryptocard, there are free implementations of SNK in Firewall Toolkit (FWTK) and other applications.
I've tried just about all of the authentication tokens, and have deployed SNK, SafeWord, and SecurID. I've managed to integrate most of these into SSH and PAM without massive effort.
I've found that in most cases the end-user is annoyed by Challenge-Respose systems and usually insist on Time Synchronous (SecurID) or Event Synchronois (various vendors, including Cryptocard).

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]