RFC on proposed remote hardware authentication

Garrett Kajmowicz gkajmowi at tbaytel.net
Sun Feb 27 18:11:44 UTC 2005 

I am a big fan of thin clients (especially remote X systems) for enterprise 
computing.  Unfortunately, it has been impossible to use remote 
authentication mechanisms to authenticate users, such as USB keys attached to 
the client.  As such, I'm working on a system to allow for remote 
authentication.

The system works on the client/server principle.
The server is the machine which the user is physically using (think X server).  
The client is the machine requesting some form of authentication - I intend 
to write PAM modules for this once this has been looked over.

The client connects via TCP to the server, a short handshake is done, followed 
by a client request comprising of:
- Category for the request
- Request Type
- Device Number
- Up to 64k of data to be processed

The reponse allows for up to 64k of data.

The server then attempts to process the request and returns the result or an 
error message.

For example, a request to hash the first 1k of floppy 0 with 2k of sent data 
would send a request for:
Category two (device read), Type 0x00020001 (Floppy Drive), Number 0 (Floppy 
0), and 2k of data.

On the server, the first 1k of the floppy disk is read, and hashed with SHA1.  
Then the data sent is appended with that hash and the combined data is hashed 
with SHA1.  The result is then returned.  This (conceivably) would allow an 
organization to fill floppy disks with random information and store the hash 
of the first 1k in a database and use this for authentication.

Of course, I understand that the floppy disk is a bad security token - it's 
simply a proof of concept which I can use because I have a floppy drive next 
to me, but no USB security tokens.

Anyways, I've posted sample code online at:
http://garrett.dyndns.giz/RHA.tar.gz
It's only 12k.
The server code depends on libgcrypt only for hashing code, and on the client 
for a rng.  This could be replaced with other code, but I'm lazy right 
now  :-)

Please let me know what you think of the whole scheme.  If it looks good then 
I will work on a PAM client for this.

- Garrett Kajmowicz

More information about the Pam-list mailing list