[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: new module request: pam_ident

> But mostly, I'd like to see a simple network-aware PAM written.  A
> secure user@host<->user@host authentication module could be created by
> someone with little understanding of PAM if there was some simple-to-
> understand code available as a reference.

  I doubt I'll have time to do it myself, but I thought I'd point out
a definitive reference, so people don't reinvent broken wheels. :)

  "Systematic design of a family of attack-resistent authentication
protocols", IEEE Journal on selected areas in communication, 11 (5),
pp 679-693, June, 1993.

  Authors:  R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva,
M. Yung.

  The paper is available on-line (I think), and is *strongly*
recommended.  The final protocol includes exportable versions, is
fairly easy to implement, and is resistent against plain text,
man-in-the-middle, chosen ciphertext, time sequence, and oracle
session attacks.  The only requirements are that two machines which
need to talk have a shared secret, and be able to generate random

  For distributed PAM authentication, the shared secret can easily be
the users encrypted password, plus a per-host secret.  OTP's work just
as well as static ones, too.

  Alan DeKok.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []