scox.info - Random Thoughts - One Time Pads: The new authentication model of pam_usb - Comments

One Time Pads: The new authentication model of pam_usb - gemtsone supplier

gemtsone supplier — Sat, 12 Jun 2010 04:47:42 +0200

Your views are very good!I very much agree with you, thank you for sharing!
the best jewelry manufacturers in china

[ping] One Time Pads: The new authentication model of pam_usb - Fluoxetine capsules.

Fluoxetine capsules. — Thu, 16 Apr 2009 05:27:18 +0200

Fluoxetine.

Fluoxetine side effects. Fluoxetine....

[ping] One Time Pads: The new authentication model of pam_usb - Butalbital medical license.

Butalbital medical license. — Fri, 06 Feb 2009 04:38:09 +0100

Butalbital.

What is butalbital. Butalbital....

[ping] One Time Pads: The new authentication model of pam_usb - Amoxicillin.

Amoxicillin. — Wed, 14 Jan 2009 10:41:06 +0100

Amoxicillin.

Can greyhounds take amoxicillin. Amoxicillin side effects....

One Time Pads: The new authentication model of pam_usb - Jeremy

Jeremy — Tue, 26 Aug 2008 04:59:17 +0200

So say I manage to kill my one-time-pad accidentally. How do I force regenerating a new one?

One Time Pads: The new authentication model of pam_usb - cao.shijun

cao.shijun — Sun, 08 Apr 2007 20:46:00 +0000

Good job!thank you Scox!

One Time Pads: The new authentication model of pam_usb - scox

scox — Sun, 08 Apr 2007 20:46:00 +0000

Fixed the documentation.

I'll try to find a way not to depend on pmount anymore, but the problem is mounting a volume requires root privilegies which will fail with screensavers and other applications running as user (and that's when pmount comes handy).

One Time Pads: The new authentication model of pam_usb - Thomas

Thomas — Sun, 08 Apr 2007 20:46:00 +0000

pam_usb assumes the existence of pmount on the system, but pmount is not listed in the requirements. Maybe you could correct that, and since pmount is nonstandard on many distributions, maybe you can find a way to replace it?

One Time Pads: The new authentication model of pam_usb - scox

scox — Sun, 08 Apr 2007 20:46:00 +0000

Even if someone has the same model as yours wouldn't have the same pads thus will be rejected in the authentication process.

My bad, I should've specified this in the documentation: the authentication is restricted to localhost. SSH won't authenticate someone through pam_usb. Even issueing commands such as "su" through SSH will ask for a passwod.

One Time Pads: The new authentication model of pam_usb - Nicholas

Nicholas — Sun, 08 Apr 2007 20:46:00 +0000

It would be better to have a mix of the two methods: an ssl key together with pads. You see, not every single USB key out there has a serial number. Mine doesn't, and anybody who has a key of the same model could potentially forge the authentication.

Another thing you don't specify anywhere in the documentation, is if the authentication is restricted on localhost, or if it's available even to remote connections. I'd hate somebody logging in to my SSH as root without even bothering entering a password :) Please don't tell me to use SSL keys on ssh, I already do, but I found the example intriguing: just think about how many novice users intall every package on their distro and connect to the 'net without a proper firewall.

One Time Pads: The new authentication model of pam_usb - scox

scox — Sun, 08 Apr 2007 20:46:00 +0000

That's two factor authentication which can already be achieved by coupling pamusb and pamunix in the PAM configuration.

One Time Pads: The new authentication model of pam_usb - some guy on the street

some guy on the street — Sun, 08 Apr 2007 20:46:00 +0000

Variations on two-factor auth; How about, as with ssh key-based authentication, the /private/ key is locked with a password? or similarly the public copy of a pad may be password-encrypted.

One Time Pads: The new authentication model of pam_usb - scox

scox — Sun, 08 Apr 2007 20:46:00 +0000

I assume it will shorten its lifetime, but i don't know how much. Anyway, I'm planning to introduce a new option to set how often pads should be updated (e.g., limit once everyday).

In the meantime, you could disable pads. I think pam_usb 0.4.x is more secure than 0.3.x even with pads disabled, because it does model/vendor/serial verification.

One Time Pads: The new authentication model of pam_usb - chief

chief — Sun, 08 Apr 2007 20:46:00 +0000

I meant 0.3.3, sorry.

One Time Pads: The new authentication model of pam_usb - chief

chief — Sun, 08 Apr 2007 20:46:00 +0000

Isn't writing one-time pad onto USB flash disk upon each authentication going to shorten its lifetime? And by how much, any estimates or experiences? I have been using old pam_usb 3.3 for some time now, had been happy with it, and now I am reluctant to upgrade given this sole issue. Please advise. Thank you.

One Time Pads: The new authentication model of pam_usb - justme

justme — Sun, 08 Apr 2007 20:46:00 +0000

I think it's a good project and I just got carried away by my enthousiasme.Forget about my second comment. It wasn't well thought out. Using just the flash drives unique ID to login (the pad on the hdd would be compared with just the unique ID on that flash drive) would make you loose a lot of flexibility.Looking forward to your next release.

One Time Pads: The new authentication model of pam_usb - scox

scox — Sun, 08 Apr 2007 20:46:00 +0000

I don't think pads should ever expire. Actually, they already do: as soon as you authenticate, the old pad isn't valid anymore.

I didn't understand the second comment about storing pads on the hard drive as they currently do. Pads are stored both on the flash drive and the hard drive and compared upon authentication.

One Time Pads: The new authentication model of pam_usb - justme

justme — Sun, 08 Apr 2007 20:46:00 +0000

If flash drives are unique why not use that and store the One Time Pad on de hdd. Then there would be nothing to copy. The One Time Pad would still have to work as I wrote above. It still needs to expire.

One Time Pads: The new authentication model of pam_usb - justme

justme — Sun, 08 Apr 2007 20:46:00 +0000

Use 2 sticks. One holding the One Time Pad authentication and the other as a "Mold". Make the One Time Pad authentication time sensitive (really expiring after 2 minutes or 5 hours or 6 weeks) after which you can only use the "mold" together with the other usb stick to login. Both used seperate are useless (after expiration of the One Time Pad). Store them on different locations and you have your solution.

One Time Pads: The new authentication model of pam_usb - scox

scox — Sun, 08 Apr 2007 20:46:00 +0000

As the pads won't match anymore, you will know that you have been compromised and you will be prompted for your usual password.

You can avoid this kind of problem by using two-factor authentication. In such case, you will be asked for a password before the USB authentication, which means that the attacker must know your password in order to update the pads.