[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OT: Smartcards and Physical Security [Was: Re: Backport of the integer overflow in the brk system call]

[NB: I wanted to take this OT discussion off d-d@ldo and into private
mail, but your e-mail address was munged in some sort of anti-spam
measure, and not trivially un-mungeable. Please consider providing
information on how to demunge it in some X- header, or not using
munging at all.]

On Wed, 03 Dec 2003, Tom wrote:
> On Wed, Dec 03, 2003 at 12:20:59AM -0800, Don Armstrong wrote:
>> the attacker still can control the connection.
> Not while the smart card isn't inserted.

Well, the DD can't log in without the smart card, so that's clearly a

>> the use of a smart card merely means that the attacker has to trojan
>> the ssh binary on the compromised machine and use it to run a command
>> that opens a shell under the DD's uid on a non-privledged port, thus
>> circumventing the smart card in its entirety.
> I don't understand this objection, but it seems valid.  Could you 
> explain?

If you have "adjusted" ssh, you don't need to show the compromised
user the output of all the commands that are being run on the other
end of the connection.

> Have you ever used smartcards? 

Unfortunatly, yes.

> I think that the more layers the better.

Sure, I'm just saying that the cost to put > 1000 smart cards with the
requisite hardware in all of the places that DD's log in from doesn't
give us enough extra security to merit the extra cost. Of course, if
someone was to design such a system, work all of the bugs out, and get
a hardware vendor to deploy it to DD's, I wouldn't stand in the way.

[I would personally rather see paired random number generators than
smart cards, but we're a bit too spread out for that to be much of a

Don Armstrong

You could say she lived on the edge... Well, maybe not exactly on the edge,
just close enough to watch other people fall off.
  -- hugh macleod http://www.gapingvoid.com/batch8.htm


Attachment: signature.asc
Description: Digital signature

Reply to: