kerberos + securid (hpcmp)

Tim Alsop Tim.Alsop at CyberSafe.Com
Fri May 25 15:19:56 EDT 2007


I can tell you that the CyberSafe commercially available Kerberos
products support using SecurID to get the initial TGT. This is not an
open source solution so you would have to pay for our products to use
this functionality.

I also need to advise you that to support the pre-authentication for
SecurID the KDC, and also the clients need SecurID support - e.g. it is
not something you can just add to the KDC only.

If you are interested to find out more about our products please let me

Take care,
Tim Alsop
CyberSafe Limited 

-----Original Message-----
From: kerberos-bounces at [mailto:kerberos-bounces at] On
Behalf Of David Bishop
Sent: 25 May 2007 18:11
To: kerberos at
Subject: kerberos + securid (hpcmp)

Good morning!

I work at a largish retail company, who is being affected by the
PCI-DSS.  One of the changes we are making is implementing one-time
passwords to access any of our production machines (use RSA SecurIDs).
We have that working using the standard PAM module, but are already
annoyed at having to enter a PIN everytime we get on any machine
(something that we do tens of times per day).

Our first thought was to have a couple of "gateway" machines, that you
have to use a securid to log into, then allow sshkeys[1] from there to
other machines - while still allowing "direct" access to the machines
using RSA.  However, there is no way to change the order of
authentication in sshd, server-side (to do the PAM-checks of IP,
then determine whether to use RSA or sshkeys), and client-side isn't
good enough (for obvious reasons).

That is a long-winded way of saying that we are seriously considering
using kerberos.  However, we would still need to use RSA SecurID for the
initial authentication, to get the TGT.  The only thing I can find after
googling for a while is that I (apparently) need to use the HPCMP flavor
of kerberos to have that functionality, but *nowhere* can I find a link
to the source code, in order to build our own kdc, or the various
Solaris and Linux clients (as we aren't using Solaris8 or debian/SuSE -
the only binary clients I could readily find).

My question is: am I the worst googler ever?  Is, perchance, securid
support built into the latest krb5 release, and I just can't find
documentation on it?  Am I just SOL?  Is there a different way to
accomplish what we desire (that isn't kludgy, like running multiple sshd

Many, many thanks for those of you who read this far.  Have a great day!


[1] using ssh-agent, of course
Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list