[NB: I wanted to take this OT discussion off d-d@ldo and into private mail, but your e-mail address was munged in some sort of anti-spam measure, and not trivially un-mungeable. Please consider providing information on how to demunge it in some X- header, or not using munging at all.] On Wed, 03 Dec 2003, Tom wrote: > On Wed, Dec 03, 2003 at 12:20:59AM -0800, Don Armstrong wrote: >> the attacker still can control the connection. > > Not while the smart card isn't inserted. Well, the DD can't log in without the smart card, so that's clearly a prerequisite. >> the use of a smart card merely means that the attacker has to trojan >> the ssh binary on the compromised machine and use it to run a command >> that opens a shell under the DD's uid on a non-privledged port, thus >> circumventing the smart card in its entirety. > > I don't understand this objection, but it seems valid. Could you > explain? If you have "adjusted" ssh, you don't need to show the compromised user the output of all the commands that are being run on the other end of the connection. > Have you ever used smartcards? Unfortunatly, yes. > I think that the more layers the better. Sure, I'm just saying that the cost to put > 1000 smart cards with the requisite hardware in all of the places that DD's log in from doesn't give us enough extra security to merit the extra cost. Of course, if someone was to design such a system, work all of the bugs out, and get a hardware vendor to deploy it to DD's, I wouldn't stand in the way. [I would personally rather see paired random number generators than smart cards, but we're a bit too spread out for that to be much of a reality.] Don Armstrong -- You could say she lived on the edge... Well, maybe not exactly on the edge, just close enough to watch other people fall off. -- hugh macleod http://www.gapingvoid.com/batch8.htm http://www.donarmstrong.com http://www.anylevel.com http://rzlab.ucr.edu
Attachment:
signature.asc
Description: Digital signature