kerberos + securid (hpcmp)
tech at gnuconsulting.com
Tue May 29 12:49:32 EDT 2007
As a follow-up to this, I just found a posting on krbdev in January
regarding this (I think). Was there no follow through by the Cryptocard
people? And am I right in translating cryptocard as 'securid
Also, I've been looking into SASL. It has a securid mechanism and is
open source, but everything I've read shows sasl using krb5 as the
backend, whereas I would be looking to do the opposite. Am I chasing
down a blind alley here?
On Fri, May 25, 2007 at 11:10:33AM -0600, David Bishop wrote:
> Good morning!
> I work at a largish retail company, who is being affected by the
> PCI-DSS. One of the changes we are making is implementing one-time
> passwords to access any of our production machines (use RSA SecurIDs).
> We have that working using the standard PAM module, but are already
> annoyed at having to enter a PIN everytime we get on any machine
> (something that we do tens of times per day).
> Our first thought was to have a couple of "gateway" machines, that you
> have to use a securid to log into, then allow sshkeys from there to the
> other machines - while still allowing "direct" access to the machines
> using RSA. However, there is no way to change the order of
> authentication in sshd, server-side (to do the PAM-checks of IP,
> then determine whether to use RSA or sshkeys), and client-side isn't
> good enough (for obvious reasons).
> That is a long-winded way of saying that we are seriously considering
> using kerberos. However, we would still need to use RSA SecurID for the
> initial authentication, to get the TGT. The only thing I can find after
> googling for a while is that I (apparently) need to use the HPCMP flavor
> of kerberos to have that functionality, but *nowhere* can I find a link
> to the source code, in order to build our own kdc, or the various
> Solaris and Linux clients (as we aren't using Solaris8 or debian/SuSE -
> the only binary clients I could readily find).
> My question is: am I the worst googler ever? Is, perchance, securid
> support built into the latest krb5 release, and I just can't find
> documentation on it? Am I just SOL? Is there a different way to
> accomplish what we desire (that isn't kludgy, like running multiple sshd
> Many, many thanks for those of you who read this far. Have a great day!
>  using ssh-agent, of course
> Kerberos mailing list Kerberos at mit.edu
More information about the Kerberos