kerberos + securid (hpcmp)

[David Bishop]

Good morning!

I work at a largish retail company, who is being affected by the
PCI-DSS.  One of the changes we are making is implementing one-time
passwords to access any of our production machines (use RSA SecurIDs).
We have that working using the standard PAM module, but are already
annoyed at having to enter a PIN everytime we get on any machine
(something that we do tens of times per day).

Our first thought was to have a couple of "gateway" machines, that you
have to use a securid to log into, then allow sshkeys[1] from there to the
other machines - while still allowing "direct" access to the machines
using RSA.  However, there is no way to change the order of
authentication in sshd, server-side (to do the PAM-checks of IP,
then determine whether to use RSA or sshkeys), and client-side isn't
good enough (for obvious reasons).

That is a long-winded way of saying that we are seriously considering
using kerberos.  However, we would still need to use RSA SecurID for the
initial authentication, to get the TGT.  The only thing I can find after
googling for a while is that I (apparently) need to use the HPCMP flavor
of kerberos to have that functionality, but *nowhere* can I find a link
to the source code, in order to build our own kdc, or the various
Solaris and Linux clients (as we aren't using Solaris8 or debian/SuSE -
the only binary clients I could readily find).

My question is: am I the worst googler ever?  Is, perchance, securid
support built into the latest krb5 release, and I just can't find
documentation on it?  Am I just SOL?  Is there a different way to
accomplish what we desire (that isn't kludgy, like running multiple sshd
instances)?

Many, many thanks for those of you who read this far.  Have a great day!

David

[1] using ssh-agent, of course