[Swan] UPDATE Re: Authentication with pam_url and nonces

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Mon Feb 7 23:56:38 EET 2022


Hi Paul,

I have sort of tunneled HMAC-SHA-256 over HTTPS.

I have used proven concepts (HMAC, SHA-256, challenge-response a.k.a. 
CHAP, nonces, serials for replay attack prevention, ...).

I don't think it is an overkill because the server script has the right 
to know who is calling it and to whom
it grants authorization. This is mainly because pam_get_item (pamh, 
PAM_RHOST, &clientIP) mysteriously
gave me NULL, which is still left to investigate.

I don't feel bad about having a garage implementation that works. Of 
course, garage implementation is not guaranteed to be cryptographically 
unbreakable, so I will probably look after doing more homework and 
attempts to logically prove it working. I feel safer with garage crypto 
than no crypto at all :-)

If nothing else, this was a good programming and brain exercise, so I 
have no regrets ;-)

I am not very familiar with openssl or GNUTLS.

Kind regards,
Mirsad

On 2/7/2022 7:51 PM, Paul Wouters wrote:
> If you feel the pam TLS calls needs more than server side cert verification, you should look into client authentication, eg mTLS. Don’t invent your own crypto.
>
> Paul

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355



More information about the Swan mailing list