kerberos + securid (hpcmp)

David Bishop david at gnuconsulting.com
Fri May 25 16:43:28 EDT 2007


As a follow-up to this, I just found a posting from krbdev in January
regarding this (I think).  Was there no follow through by the Cryptocard
people? And am I right in translating cryptocard as 'securid
compatible'?

http://osdir.com/ml/encryption.kerberos.devel/2007-01/msg00079.html

David Bishop

On Fri, May 25, 2007 at 11:10:33AM -0600, David Bishop wrote:
> Good morning!
> 
> I work at a largish retail company, who is being affected by the
> PCI-DSS.  One of the changes we are making is implementing one-time
> passwords to access any of our production machines (use RSA SecurIDs).
> We have that working using the standard PAM module, but are already
> annoyed at having to enter a PIN everytime we get on any machine
> (something that we do tens of times per day).
> 
> Our first thought was to have a couple of "gateway" machines, that you
> have to use a securid to log into, then allow sshkeys[1] from there to the
> other machines - while still allowing "direct" access to the machines
> using RSA.  However, there is no way to change the order of
> authentication in sshd, server-side (to do the PAM-checks of IP,
> then determine whether to use RSA or sshkeys), and client-side isn't
> good enough (for obvious reasons).
> 
> That is a long-winded way of saying that we are seriously considering
> using kerberos.  However, we would still need to use RSA SecurID for the
> initial authentication, to get the TGT.  The only thing I can find after
> googling for a while is that I (apparently) need to use the HPCMP flavor
> of kerberos to have that functionality, but *nowhere* can I find a link
> to the source code, in order to build our own kdc, or the various
> Solaris and Linux clients (as we aren't using Solaris8 or debian/SuSE -
> the only binary clients I could readily find).
> 
> My question is: am I the worst googler ever?  Is, perchance, securid
> support built into the latest krb5 release, and I just can't find
> documentation on it?  Am I just SOL?  Is there a different way to
> accomplish what we desire (that isn't kludgy, like running multiple sshd
> instances)?
> 
> Many, many thanks for those of you who read this far.  Have a great day!
> 
> David
> 
> [1] using ssh-agent, of course
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list