[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Otpasswd-talk] Using OTP to kind of fix MITM.
|
From: |
Hannes Beinert |
|
Subject: |
Re: [Otpasswd-talk] Using OTP to kind of fix MITM. |
|
Date: |
Tue, 22 Dec 2009 10:31:54 -0600 |
On Tue, Dec 22, 2009 at 09:52, Tomasz bla Fortuna <address@hidden> wrote:
> Dnia Tue, 22 Dec 2009 09:39:24 -0500 Luke Faraone <address@hidden> napisał(a):
>>
>> If you're going to be printing out your PPP passkeys anyway,
>> wouldn't it make sense to just include the ssh server fingerprint or
>> randomart design on the sheet?
[...]
> Problem is with size. Passcards would have to be reorganized somehow.
> Label can be currently only 29 character long, which is not enough to
> fit fingerprint:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxx <- 29
> 66:78:1d:57:83:e0:35:d7:1d:ab:d3:9b:3c:a5:ee:df.
> 66781d5783e035d71dabd39b3ca5eedf - without : won't fit too
Would decreasing the font size work?
> I wonder if using something like 66:78:1d:...:a5:ee:df is enough. Is
> it hard to create a key with same 6 fields of fingerprint? ...
Personally, I think it would be wiser to find some way of printing the
entire key.
> ... Also we
> can place randomart on the back of passcard. It might be a bit tricky to
> print still. Can PuTTY display randomart?
I think that randomart is, as yet, too non-standard to be useful in
many contexts. Currently it is really only an OpenSSH feature, AFAIK.
> We can put whole fingerprint at the end of each passcard; still I've
> got no idea how to retrieve it from ssh in a program. This fingerprint
> can also be send via OOB.
I really like the idea of having the option of sending it via OOB.
The two options for retrieving the host key(s) that I can think of are
to (1) directly access the keyfiles in /etc or /etc/ssh, or (2) to
establish an initial session with sshd, which would reveal at least
one of the keys.
The problem with the first option is that one would have to be
somewhat aware of the conventions for the sshd configuration on the
host. IOW, one would either have to know where the (hopefully)
world-readable host keys are stored, or one would need to know the
location of the sshd_config and parse it for the "hostkey" value, and
also understand what it defaults to. This sounds really painful to
me. In the case of the second option, the server would need to be
running at the time of the query -- presumably at the point where the
passcards are being printed -- and I'm unsure how many of the hostkeys
would be revealed by this. I can research this, if you like.
Hannes.
- [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM.,
Hannes Beinert <=
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Luke Faraone, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Tomasz bla Fortuna, 2009/12/22
- Re: [Otpasswd-talk] Using OTP to kind of fix MITM., Hannes Beinert, 2009/12/22