« Return to Thread: seeking hardware token recommendations
Re: seeking hardware token recommendations
by vinmclellan
::
Rate this Message:
Hi Jake,
While it is true that RSA, for some 15 years, used a NSA-certified proprietary hash to generate the SecurID's one-time password, five years ago RSA replaced the classic SecurID with an AES-based token, so your concern about the proprietary hash is a little out of date. To the best of my knowledge (and I track this stuff), no one has ever claimed to have inverted the old Brainard hash in the classic SecurID, but the AES SecurID token, with a 128-bit secret, is state of the art, even DPA-resistant, and available in a half-dozen form-factors.
The RSA Authentication Manager includes a RADIUS server, and OpenBSD, of course, has login_radius, BSD Auth, and OpenSSH. RSA, unfortunately, doesn't officially support OpenBSD, and I don't know what might be available that would be the equivalent of PAM modules under BSD Auth. There is probably some experience available here with regard to critical applications, but if not query other BSD forums or Kevin Kadow's unofficial SecurID Users' Forum at:
http://tech.groups.yahoo.com/group/securid-users/
Check out Kadow's comment on another OpenBSD forum a few months ago at:
http://tinyurl.com/2murme
Also Tim Kornau's FreeRadius 1.1.0 port to OpenBSD
http://marc.info/?l=openbsd-ports&m=113827097610572&w=2
For SecurID basics, you might want to also check out:
RSA SecurID Options: http://www.rsa.com/node.aspx?id=1156
RSA Authentication Servers and Appliances:
http://www.rsa.com/node.aspx?id=3049
SecurID-Ready VPNs:
http://www.rsa.com/rsasecured/results.asp?search=VPN&x=0&y=0
RSA's Platform Support Matrix (which describes RSA's PAM modules): http://www.rsa.com/node.aspx?id=2573
If you are considering RSA SecurID and SSH, see:
OpenSSH: http://www.openssh.com/
OpenSSH support for SecurID: http://sweb.cz/v_t_m/
and The RSA SecurID-Ready Implementation Guide for SSH:
http://www.rsa.com/rsasecured/guides/imp_pdfs/ssh_secure_shell_ace5.pdf
I'm a consultant to RSA, but this isn't my turf. Hope this is helpful.
Suerte,
_Vin
------------ in reference to ---------
While it is true that RSA, for some 15 years, used a NSA-certified proprietary hash to generate the SecurID's one-time password, five years ago RSA replaced the classic SecurID with an AES-based token, so your concern about the proprietary hash is a little out of date. To the best of my knowledge (and I track this stuff), no one has ever claimed to have inverted the old Brainard hash in the classic SecurID, but the AES SecurID token, with a 128-bit secret, is state of the art, even DPA-resistant, and available in a half-dozen form-factors.
The RSA Authentication Manager includes a RADIUS server, and OpenBSD, of course, has login_radius, BSD Auth, and OpenSSH. RSA, unfortunately, doesn't officially support OpenBSD, and I don't know what might be available that would be the equivalent of PAM modules under BSD Auth. There is probably some experience available here with regard to critical applications, but if not query other BSD forums or Kevin Kadow's unofficial SecurID Users' Forum at:
http://tech.groups.yahoo.com/group/securid-users/
Check out Kadow's comment on another OpenBSD forum a few months ago at:
http://tinyurl.com/2murme
Also Tim Kornau's FreeRadius 1.1.0 port to OpenBSD
http://marc.info/?l=openbsd-ports&m=113827097610572&w=2
For SecurID basics, you might want to also check out:
RSA SecurID Options: http://www.rsa.com/node.aspx?id=1156
RSA Authentication Servers and Appliances:
http://www.rsa.com/node.aspx?id=3049
SecurID-Ready VPNs:
http://www.rsa.com/rsasecured/results.asp?search=VPN&x=0&y=0
RSA's Platform Support Matrix (which describes RSA's PAM modules): http://www.rsa.com/node.aspx?id=2573
If you are considering RSA SecurID and SSH, see:
OpenSSH: http://www.openssh.com/
OpenSSH support for SecurID: http://sweb.cz/v_t_m/
and The RSA SecurID-Ready Implementation Guide for SSH:
http://www.rsa.com/rsasecured/guides/imp_pdfs/ssh_secure_shell_ace5.pdf
I'm a consultant to RSA, but this isn't my turf. Hope this is helpful.
Suerte,
_Vin
------------ in reference to ---------
Jacob Yocom-Piatt-2 wrote:would like to lock "random" users out of the services that are hosted on
machines here and remember LLNL, etc, using a RSA secureID to effect
this back in the day: you had to enter your secureID string before being
able to ssh into your user account through the firewall. i am aware that
the secureID uses a closed-source algorithm to generate its codes and is
thus, IMO, not a desirable solution. the goal is to allow only users
with (1) a hardware token and (2) the correct passwords to access
services (IMAPS, etc) on openbsd machines.
a list of OTPs would be sufficient if i didn't think i'd end up
regularly issuing new lists to users. if there is any "good" solution of
the sort i describe above, i would appreciate pointers from more
knowledgeable folks.
cheers,
jake
--
« Return to Thread: seeking hardware token recommendations
| Free embeddable forum powered by Nabble | Forum Help |
