Archived
TD0334: NIT Technical Decision for Testing SSH when password-based authentication is not supported
Publication Date
2018.08.01
Protection Profiles
CPP_ND_V2.0E
Other References
ND SD V2.0, FCS_SSHC_EXT.1.9
Issue Description
The NIT has issued a technical decision for testing SSH when password-based authentication is not supported. Resolution
In ND SD Test 2 for FCS_SSHC_EXT.1.9 shall be replaced by <new>"The evaluator shall add an entry associating a host name with a public key into the TOE’s local database. The evaluator shall replace, on the corresponding SSH server, the server’s host key with a different host key. If 'password-based' is selected for the TOE in FCS_SSHC_EXT.1.2, the evaluator shall initiate a connection from the TOE to the SSH server using password-based authentication, shall ensure that the TOE rejects the connection, and shall ensure that the password was not transmitted to the SSH server (for example, by instrumenting the SSH server with a debugging capability to output received passwords). If 'password-based' is not selected for the TOE in FCS_SSHC_EXT.1.2, the evaluator shall initiate a connection from the TOE to the SSH server using public key-based authentication, and shall ensure that the TOE rejects the connection." </new>
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201803.pdf Justification
See issue description. |