Daniel Kahn Gillmor wrote:

>Paul Sery (pgsery-swcp.com> wrote:
>> The patch (against 4.7p1) modifies gnome-ssh-askpass to optionally
>> generate a one-time password and transmits it to the user via an
>> out-of-band communication channel. If you can read the password and
>> enter it back into the gnome-ssh-askpass dialog, ssh-agent is
>> allowed to continue with the authentication process.


>This is an interesting idea. Thanks for publishing! I haven't had
>time to digest it enough to know if the general framework is something
>i want, but here's a couple quick notes about the diff:


I've cleaned up most of the clutter and tightened it up in general.

>Seeding with the time (in seconds since the UNIX epoch) means that
>every one of these one-time-passwords that happens in a given second
>is going to use the same random password. So that password will be
>predictable -- probably not a property you intend the one time
>passwords to have.


Yes, my current implementation is a place-holder. I'd like guidance
on whether to use arc4random_stir or something else.

>Thanks again for publishing this idea. For patches that you want
>people to consider against OpenSSH, you probably want to post them to
>the OpenSSH bugzilla (not just this mailing list):
> https://bugzilla.mindrot.org/
> That makes your work easier to find for people looking for it later.


Bug 1393.

Thanks for the advice and help! I hope it proves useful.

-Paul

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev