Re: some requirements

[Rick Smith <rick_smith@securecomputing.com>]

>Andreas Jellinghaus <aj@dungeon.inka.de> wrote:

 >>    nearly no server allows authentication via ssl certificate.
> >    also nearly no server allows the server key be encrypted with
> >    a password, and the certificate in an extra file. apache is fine,
> >    but stunnel/sslwrap/... ?

At 02:14 AM 7/28/00, Tom Vogt wrote:

>wasn't s/key made for this?

You're probably thinking of Encrypted Key Exchange (EKE) in which a private 
key is encrypted using a shared secret password as the encryption key. 
There have been several improvements proposed by various researchers. I'm 
not sure which, if any, are actually in use, tho' I've heard it said that a 
few universities use such a thing to distribute private keys from a central 
server.

S/Key provides a way of using /etc/password to implement (relatively) 
simple challenge response passwords. Unix stores the last of a series of 
hashes derived from the text password. Login prompts the user with the 
number of hash operations performed (the "challenge"). The user feeds the 
number to an s/key client, along with the text password. The client 
generates a one time password that, when hashed one more time by login, 
will match the value stored in /etc/passwd. If they match, the hash count 
gets decrement and the newly received hash value replaces the old one.

I don't see an obvious way of making the two work together.

Rick.
smith@securecomputing.com     roseville, minnesota

-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/