On Mon, 30 Mar 2009, Damian Myerscough wrote:
Hello,
What about the use of S/Key (one-time passwords) I think it is possible to
deploy SSH with S/Key authentication. I haven't look into it that much but it
could be a possible solution?
If someone had my username, password, and ssh key. How would that prevent
them from getting a otp?
-Mike
susmit shannigrahi wrote:
> > So I'm not quite sure how to 'fix' this problem. By that I mean,
even if
> > we knew this attack was going to happen I'm not totally sure of a feasible
> > solution, using only free software, that we could have used to fix it.
> > Obviously a physical rsa key or the like would have worked but I don't
> > think we have the manpower nor budget to implement such a system. So I
> > ask the list, any ideas?
>
> A single use random code/passwd mailed/texted each time one tries to
> login and invalidated just after use??
>
> Basically I am referring to RFC 2289[1]
>
> [
1]http://www.ietf.org/rfc/rfc2289.txt
>
> Thanks.
>
--
Regards,
Damian Myerscough
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list