[27818] in Kerberos
Re: kerberos + securid (hpcmp)
daemon@ATHENA.MIT.EDU (David Bishop)
Fri May 25 17:53:02 2007
Date: Fri, 25 May 2007 14:43:28 -0600
From: David Bishop <david@gnuconsulting.com>
To: David Bishop <tech@gnuconsulting.com>
Message-ID: <20070525204328.GI25702@nwind.net>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20070525171033.GF25702@nwind.net>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
As a follow-up to this, I just found a posting from krbdev in January
regarding this (I think). Was there no follow through by the Cryptocard
people? And am I right in translating cryptocard as 'securid
compatible'?
http://osdir.com/ml/encryption.kerberos.devel/2007-01/msg00079.html
David Bishop
On Fri, May 25, 2007 at 11:10:33AM -0600, David Bishop wrote:
> Good morning!
>
> I work at a largish retail company, who is being affected by the
> PCI-DSS. One of the changes we are making is implementing one-time
> passwords to access any of our production machines (use RSA SecurIDs).
> We have that working using the standard PAM module, but are already
> annoyed at having to enter a PIN everytime we get on any machine
> (something that we do tens of times per day).
>
> Our first thought was to have a couple of "gateway" machines, that you
> have to use a securid to log into, then allow sshkeys[1] from there to the
> other machines - while still allowing "direct" access to the machines
> using RSA. However, there is no way to change the order of
> authentication in sshd, server-side (to do the PAM-checks of IP,
> then determine whether to use RSA or sshkeys), and client-side isn't
> good enough (for obvious reasons).
>
> That is a long-winded way of saying that we are seriously considering
> using kerberos. However, we would still need to use RSA SecurID for the
> initial authentication, to get the TGT. The only thing I can find after
> googling for a while is that I (apparently) need to use the HPCMP flavor
> of kerberos to have that functionality, but *nowhere* can I find a link
> to the source code, in order to build our own kdc, or the various
> Solaris and Linux clients (as we aren't using Solaris8 or debian/SuSE -
> the only binary clients I could readily find).
>
> My question is: am I the worst googler ever? Is, perchance, securid
> support built into the latest krb5 release, and I just can't find
> documentation on it? Am I just SOL? Is there a different way to
> accomplish what we desire (that isn't kludgy, like running multiple sshd
> instances)?
>
> Many, many thanks for those of you who read this far. Have a great day!
>
> David
>
> [1] using ssh-agent, of course
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
