View Single Post
  #9   (View Single Post)  
Old 3rd October 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,416

OpenSSH supports host based authentication, public key authentication, challenge-response authentication, or password authentication.

(I never set up OpenSSH servers with password authentication, myself. My favorites are public key and S/Key challenge-response authentications.)

Host-based authentications may include ActivCard token, CRYPTOCard token, Kerberos ticket, Radius authentication, , SecureNet Key token, X9.9 token, or programmatic authentications. Program authentications via the "approve" and "approve-service" keywords are described in login.conf(5) but I know nothing about them, except they appear to be available for custom challenge/response techniques. This might be how you could interface your custom authentication with OpenSSH, or perhaps with your alternative file transfer solution.

A common programmatic authentication used in other Unix-like systems is PAM. All I know of PAM is that it is not one of the methods available on OpenBSD.


TLS (Transport Layer Security) is an authentication method based on public key authentication -- it uses certificates which include public/private key pair halves. To basic PKA it adds complexities such as commercial certification authorities (e.g.: Verisign), expiration dates (so that the certification companies get repeat business), and the like.

As an admin, you might have set up a secure web server (https), and set up a host certificate for it. If you *also* created a small set of client certificates to give to a set of users, to limit which clients could reach that server, you set up a TLS authentication system.

Encryption for TLS traffic is via SSL v3.

Last edited by jggimi; 3rd October 2008 at 04:01 PM. Reason: typo
Reply With Quote