kerberos + securid (hpcmp)

David Bishop tech at
Tue May 29 12:49:32 EDT 2007

As a follow-up to this, I just found a posting on krbdev in January
regarding this (I think).  Was there no follow through by the Cryptocard
people? And am I right in translating cryptocard as 'securid

Also, I've been looking into SASL.  It has a securid mechanism and is
open source, but everything I've read shows sasl using krb5 as the
backend, whereas I would be looking to do the opposite.  Am I chasing
down a blind alley here?

David Bishop

On Fri, May 25, 2007 at 11:10:33AM -0600, David Bishop wrote:
> Good morning!
> I work at a largish retail company, who is being affected by the
> PCI-DSS.  One of the changes we are making is implementing one-time
> passwords to access any of our production machines (use RSA SecurIDs).
> We have that working using the standard PAM module, but are already
> annoyed at having to enter a PIN everytime we get on any machine
> (something that we do tens of times per day).
> Our first thought was to have a couple of "gateway" machines, that you
> have to use a securid to log into, then allow sshkeys[1] from there to the
> other machines - while still allowing "direct" access to the machines
> using RSA.  However, there is no way to change the order of
> authentication in sshd, server-side (to do the PAM-checks of IP,
> then determine whether to use RSA or sshkeys), and client-side isn't
> good enough (for obvious reasons).
> That is a long-winded way of saying that we are seriously considering
> using kerberos.  However, we would still need to use RSA SecurID for the
> initial authentication, to get the TGT.  The only thing I can find after
> googling for a while is that I (apparently) need to use the HPCMP flavor
> of kerberos to have that functionality, but *nowhere* can I find a link
> to the source code, in order to build our own kdc, or the various
> Solaris and Linux clients (as we aren't using Solaris8 or debian/SuSE -
> the only binary clients I could readily find).
> My question is: am I the worst googler ever?  Is, perchance, securid
> support built into the latest krb5 release, and I just can't find
> documentation on it?  Am I just SOL?  Is there a different way to
> accomplish what we desire (that isn't kludgy, like running multiple sshd
> instances)?
> Many, many thanks for those of you who read this far.  Have a great day!
> David
> [1] using ssh-agent, of course
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list