On Mon, Dec 04, 2006 at 09:25:38PM +0200, Ratiu Petru wrote: > What I'm thinking is to provide a static string as a challenge and use the > response as the cryptodevice password, but I can't find a program that > allows me to manipulate the socket this way. This mechanism might also be > used for other purposes, stacking public key authentication in a "normal" > password-based login. I do not think this is a good idea. If the challenge is static, the response will be, too. Then you might be vulnerable to replay-Attacks. > I guess I am either missing an obvious security flaw to this, I am no expert on SSH, but I know some cryptography protocols where a challenge must not be used more than once. Otherwise the protocol becomes insecure. Stefan -- 31.69 nHz = once a year.
Attachment:
signature.asc
Description: Digital signature