Hurdo 0.3 credential forwarding release.

Dr. Greg Wettstein greg at
Sun Feb 1 10:17:51 EST 2015

Good morning, I hope the weekend is going well for everyone.

Our team was diving into another major development cycle when Izzy,
our Golden Retriever, pawed at the lake laptop to remind me that we
hadn't finished our 'Holiday project'.  So Izzy and I headed out to
the lake for a long weekend of skiing, coding and the consumption of
single malt.

With the weekend drawing to a close, on behalf of Enjellic Systems
Development, Izzy would like to announce the availability of a major
upgrade to the Hurdo package.  The update is available at the
following URL:

Hurdo implements OpenSSH/PAM support for Kerberos service credential
forwarding.  It provides infrastructure for using remote sudo based
privilege escalation without the risk for horizontal privilege
escalation, in the event an administrator should log into a
compromised host.  While focused on the needs of sudo it will provide
authentication for any PAM capable application on a remote host.

This release is a feature release with the following important

        * PKINIT support.

        * Credential forwarding with remote login tracking.

        * Support for multi-homed hosts.

        * Keyshell credential manager.

        * Optional MIT Kerberos patch to add PKCS11 KEYRING: support.

Support for PKINIT allows organizations to project two-factor
authentication into remote hosts without physical access to those
systems.  In combination with credential forwarding, this provides a
comprehensive security solution for the common systems administration
model of logging into a bastion host to gain access to hosts on an
internal network.

The PKINIT support has been tested using Yubikey-NEO hardware devices
with the open-sc library.

The keyshell credential manager provides support for a 'hard-token'
security model using soft tokens in the absence of hardware devices.
It extensively leverages Linux keyring support to safely allow lower
entropy pincodes to be used to authenticate repetitive sudo

Hurdo is designed, developed and maintained by system administrators
who do system management of remote hosts with SSH and sudo all day,
every day.  Izzy hopes our experiences and technology are beneficial
to others in similar roles.

Izzy would like to extend a 'bark-out' to David Howells for all of his
work on the Linux keyring support.  The new features are heavily
dependent on leveraging this infrastructure for some rather novel IPC

Best wishes for a productive week from the glacial moraine country of
West-Central Minnesota.

Dr. Greg and Izzy

PS: For those sites who find that Hurdo saves them from devastating
    security breaches, Izzy enjoys the large MilkBone(tm) dog
    biscuits... :-)

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at
"If you ever teach a yodeling class, probably the hardest thing is to
 keep the students from just trying to yodel right off. You see, we build
 to that."
                                -- Jack Handey
                                   Deep Thoughts

More information about the krbdev mailing list