seeking hardware token recommendations

would like to lock "random" users out of the services that are hosted on
machines here and remember LLNL, etc, using a RSA secureID to effect
this back in the day: you had to enter your secureID string before being
able to ssh into your user account through the firewall. i am aware that
the secureID uses a closed-source algorithm to generate its codes and is
thus, IMO, not a desirable solution. the goal is to allow only users
with (1) a hardware token and (2) the correct passwords to access
services (IMAPS, etc) on openbsd machines.

a list of OTPs would be sufficient if i didn't think i'd end up
regularly issuing new lists to users. if there is any "good" solution of
the sort i describe above, i would appreciate pointers from more
knowledgeable folks.

cheers,
jake

--

Hi Jake,

While it is true that RSA, for some 15 years, used a NSA-certified proprietary hash to generate the SecurID's one-time password, five years ago RSA replaced the classic SecurID with an AES-based token, so your concern about the proprietary hash is a little out of date.  To the best of my knowledge (and I track this stuff), no one has ever claimed to have inverted the old Brainard hash in the classic SecurID, but the AES SecurID token, with a 128-bit secret, is state of the art, even DPA-resistant, and available in a half-dozen form-factors.

The RSA Authentication Manager includes a RADIUS server, and OpenBSD, of course, has login_radius, BSD Auth, and OpenSSH. RSA, unfortunately, doesn't officially support OpenBSD, and I don't know what might be available that would be the equivalent of PAM modules under BSD Auth. There is probably some experience available here with regard to critical applications, but if not query other BSD forums or Kevin Kadow's unofficial SecurID Users' Forum at:
http://tech.groups.yahoo.com/group/securid-users/

Check out Kadow's comment on another OpenBSD forum a few months ago at:
http://tinyurl.com/2murme
Also Tim Kornau's FreeRadius 1.1.0 port to OpenBSD
http://marc.info/?l=openbsd-ports&m=113827097610572&w=2

For SecurID basics, you might want to also check out:

RSA SecurID Options: http://www.rsa.com/node.aspx?id=1156
RSA Authentication Servers and Appliances:
http://www.rsa.com/node.aspx?id=3049
SecurID-Ready VPNs:
http://www.rsa.com/rsasecured/results.asp?search=VPN&x=0&y=0
RSA's Platform Support Matrix (which describes RSA's PAM modules): http://www.rsa.com/node.aspx?id=2573

If you are considering RSA SecurID and SSH, see:

OpenSSH: http://www.openssh.com/
OpenSSH support for SecurID: http://sweb.cz/v_t_m/
and The RSA SecurID-Ready Implementation Guide for SSH:
http://www.rsa.com/rsasecured/guides/imp_pdfs/ssh_secure_shell_ace5.pdf

I'm a consultant to RSA, but this isn't my turf. Hope this is helpful.

Suerte,
        _Vin

------------ in reference to ---------

Jacob Yocom-Piatt-2 wrote:

would like to lock "random" users out of the services that are hosted on
machines here and remember LLNL, etc, using a RSA secureID to effect
this back in the day: you had to enter your secureID string before being
able to ssh into your user account through the firewall. i am aware that
the secureID uses a closed-source algorithm to generate its codes and is
thus, IMO, not a desirable solution. the goal is to allow only users
with (1) a hardware token and (2) the correct passwords to access
services (IMAPS, etc) on openbsd machines.

a list of OTPs would be sufficient if i didn't think i'd end up
regularly issuing new lists to users. if there is any "good" solution of
the sort i describe above, i would appreciate pointers from more
knowledgeable folks.

cheers,
jake

--

One thing I didn't see mentioned is public key certificates.  Jacob's
need to control access in a granular fashion might be solvable through
the use of client certificates and SSL, rather than one-time
passwords?

Overall Vin makes good points, and includes useful links, so I won't
re-write my screed's from other sites and mailing lists.

There is one warning I must repeat -- You might be tempted to use X9.9
(The 'x99token' application in OpenBSD).  Please do not use this
algorithm for security, there were fatal flaws in the X9.9
authentication standard, ANSI X9.9-1994 MAC was withdrawn in 1999
(http://www.x9.org/standards/free/).


On Dec 6, 2007 11:02 PM, Jacob Yocom-Piatt <jy-p@...> wrote:
> i am aware that the securID uses a closed-source algorithm
> to generate its codes and is thus, IMO, not a desirable solution.

SecurID, like other modern hardware tokens, uses both well-vetted
crypto (AES) and also a 'secret sauce' to generate one time passcodes
(OTP).  This generally means that their centralized server and
software tokens are inherently only available as binaries for a very
limited number of platforms, usually PC Windows, Sparc Solaris, and
perhaps one Linux platform.  There might be one vendor with FreeBSD
support somewhere out there...

Simple hardware tokens, while requiring one additional (non-OpenBSD)
authentication server in your data center, do provide the best balance
of security and usability.  They're also expensive, though many
vendors (including Safeword and SecurID) are offering lower-priced
"appliance" models for sites with just a few dozen users.


> the goal is to allow only users with
> (1) a hardware token and
> (2) the correct passwords to access services (IMAPS, etc) on openbsd machines.

I am not aware of any hardware tokens where the "authentication
server" is supported on OpenBSD, much less any open source OTP vendor
offering hardware tokens.  But all the current players support RADIUS
protocol, and the various vendors are working together on a new open
authentication network protocol, OATH
(http://www.openauthentication.org/).

It'd be cool to have a small calculator to generate RMD-160 OPIE
responses, but I don't know of anything approaching the price point of
SecurID, Safeword, Vasco, CRYPTOCard , etc.


> a list of OTPs would be sufficient if i didn't think i'd end up
> regularly issuing new lists to users. if there is any "good" solution of
> the sort i describe above, i would appreciate pointers from more
> knowledgeable folks.

The built-in S/Key (OPIE?) implementation in OpenBSD is good.
You will need to either give users access to and training on using
'skeyinit', or you will need to regularly issue new response 'cheat
sheets' to users.

Kevin

On Fri, Dec 07, 2007 at 03:23:13PM -0600, K K wrote:
> > the goal is to allow only users with
> > (1) a hardware token and
> > (2) the correct passwords to access services (IMAPS, etc) on openbsd machines.

you may want to look at http://www.fatsquirrel.org/veghead/wot/skey.php and
its corresponding software for your mobile phone.

if this is interesting for you i have a list of similar links; reply offlist &
i can send these through. some of these are skey based and some are other 2 factor
solutions.

a+
scorch