Archived TD0339: NIT Technical Decision for Making password-based authentication optional in FCS_SSHS_EXT.1.2
ND SD V2.0, FCS_SSHS_EXT.1.2
The NIT has issued technical decision for making password-based authentication optional in FCS_SSHS_EXT.1.2/
In NDcPP and FWcPP the following changes shall be applied
FCS_SSHS_EXT.1.2 shall be modified as follows:
"FCS_SSHS_EXT.1.2 The TSF shall ensure that the SSH protocol implementation supports the following authentication methods as described in RFC 4252: public key-based, [selection:
password-based, no other method]."
The following application note shall be added to FCS_SSHS_EXT.1.2:
"If the TOE supports password-based authentication, the option 'password-based' shall be selected. If the TOE supports only public key-based authentication, the option 'no other method' shall be chosen."
In ND SD the following changes to the evaluation activities for FCS_SSHS_EXT.1.2 shall be applied
The TSS section shall be replaced as follows:
"The evaluator shall check to ensure that the TSS contains a description of the public key algorithms that are acceptable for use for authentication and that this list conforms to FCS_SSHS_EXT.1.5. and ensure that if password-based authentication methods have been selected in the ST then these are also described."
The Test section for FCS_SSHS_EXT.1.2 shall be replaced as follows:
"Test 1: If password-based authentication methods have been selected in the ST then using the guidance documentation, the evaluator shall configure the TOE to accept password-based authentication, and demonstrate that user authentication succeeds when the correct password is provided by the user.
Test 2: If password-based authentication methods have been selected in the ST then the evaluator shall use an SSH client, enter an incorrect password to attempt to authenticate to the TOE, and demonstrate that the authentication fails.
Note: Public key authentication is tested as part of testing for FCS_SSHS_EXT.1.5"
For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201721.pdf
From a security perspective, a TOE does not necessarily need to support password-based authentication.