Re: [Otpasswd-talk] Using OTP to kind of fix MITM.

[Tomasz bla Fortuna]

Dnia Tue, 22 Dec 2009 10:31:54 -0600
Hannes Beinert <address@hidden> napisał(a):

> On Tue, Dec 22, 2009 at 09:52, Tomasz bla Fortuna <address@hidden>
> wrote:
> > Dnia Tue, 22 Dec 2009 09:39:24 -0500 Luke Faraone <address@hidden>
> > napisał(a):
> >>
> >> If you're going to be printing out your PPP passkeys anyway,
> >> wouldn't it make sense to just include the ssh server fingerprint
> >> or randomart design on the sheet?
> [...]
> > Problem is with size. Passcards would have to be reorganized
> > somehow. Label can be currently only 29 character long, which is
> > not enough to fit fingerprint:
> > xxxxxxxxxxxxxxxxxxxxxxxxxxxxx  <- 29
> > 66:78:1d:57:83:e0:35:d7:1d:ab:d3:9b:3c:a5:ee:df.
> > 66781d5783e035d71dabd39b3ca5eedf - without : won't fit too
> 
> Would decreasing the font size work?
In LaTeX - yes. But still the 'main' passcard printing method is just
an ASCII output which just counts characters. (In fact this text-only
output is used by LaTeX and only wrapped in something more).

> 
> > I wonder if using something like 66:78:1d:...:a5:ee:df is enough. Is
> > it hard to create a key with same 6 fields of fingerprint? ...
> 
> Personally, I think it would be wiser to find some way of printing the
> entire key.
> 
> > ... Also we
> > can place randomart on the back of passcard. It might be a bit
> > tricky to print still. Can PuTTY display randomart?
> 
> I think that randomart is, as yet, too non-standard to be useful in
> many contexts.  Currently it is really only an OpenSSH feature, AFAIK.
> 
> > We can put whole fingerprint at the end of each passcard; still I've
> > got no idea how to retrieve it from ssh in a program. This
> > fingerprint can also be send via OOB.
> 
> I really like the idea of having the option of sending it via OOB.
> 
> The two options for retrieving the host key(s) that I can think of are
> to (1) directly access the keyfiles in /etc or /etc/ssh, or (2) to
> establish an initial session with sshd, which would reveal at least
> one of the keys.
> 
> The problem with the first option is that one would have to be
> somewhat aware of the conventions for the sshd configuration on the
> host.  IOW, one would either have to know where the (hopefully)
> world-readable host keys are stored, or one would need to know the
> location of the sshd_config and parse it for the "hostkey" value, and
> also understand what it defaults to.  This sounds really painful to
> me.  In the case of the second option, the server would need to be
> running at the time of the query -- presumably at the point where the
> passcards are being printed -- and I'm unsure how many of the hostkeys
> would be revealed by this.  I can research this, if you like.

True. That's kind of pain. If we'd have to do it like this - checking
key location, calling some program I'd create external sh script to
the work (which can be distribution dependent) and call it to get the
fingerprint... This can be also a pain taking into account that
otpasswd will have to be SUID to work with global database. I'd like to
implement this by 1.0, but for now there're still some things to do. ;)

This script could be generating whole back of passcard.
> 
> Hannes.
> 
> 


-- 
Tomasz bla Fortuna
jid: bla(at)af.gliwice.pl
pgp: 0x90746E79 @ pgp.mit.edu
www: http://bla.thera.be

signature.asc
Description: PGP signature