Hurdo 0.3 credential forwarding release.
Dr. Greg Wettstein
greg at wind.enjellic.com
Sun Feb 1 10:17:51 EST 2015
Good morning, I hope the weekend is going well for everyone.
Our team was diving into another major development cycle when Izzy,
our Golden Retriever, pawed at the lake laptop to remind me that we
hadn't finished our 'Holiday project'. So Izzy and I headed out to
the lake for a long weekend of skiing, coding and the consumption of
With the weekend drawing to a close, on behalf of Enjellic Systems
Development, Izzy would like to announce the availability of a major
upgrade to the Hurdo package. The update is available at the
Hurdo implements OpenSSH/PAM support for Kerberos service credential
forwarding. It provides infrastructure for using remote sudo based
privilege escalation without the risk for horizontal privilege
escalation, in the event an administrator should log into a
compromised host. While focused on the needs of sudo it will provide
authentication for any PAM capable application on a remote host.
This release is a feature release with the following important
* PKINIT support.
* Credential forwarding with remote login tracking.
* Support for multi-homed hosts.
* Keyshell credential manager.
* Optional MIT Kerberos patch to add PKCS11 KEYRING: support.
Support for PKINIT allows organizations to project two-factor
authentication into remote hosts without physical access to those
systems. In combination with credential forwarding, this provides a
comprehensive security solution for the common systems administration
model of logging into a bastion host to gain access to hosts on an
The PKINIT support has been tested using Yubikey-NEO hardware devices
with the open-sc library.
The keyshell credential manager provides support for a 'hard-token'
security model using soft tokens in the absence of hardware devices.
It extensively leverages Linux keyring support to safely allow lower
entropy pincodes to be used to authenticate repetitive sudo
Hurdo is designed, developed and maintained by system administrators
who do system management of remote hosts with SSH and sudo all day,
every day. Izzy hopes our experiences and technology are beneficial
to others in similar roles.
Izzy would like to extend a 'bark-out' to David Howells for all of his
work on the Linux keyring support. The new features are heavily
dependent on leveraging this infrastructure for some rather novel IPC
Best wishes for a productive week from the glacial moraine country of
Dr. Greg and Izzy
PS: For those sites who find that Hurdo saves them from devastating
security breaches, Izzy enjoys the large MilkBone(tm) dog
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
FAX: 701-281-3949 EMAIL: greg at enjellic.com
"If you ever teach a yodeling class, probably the hardest thing is to
keep the students from just trying to yodel right off. You see, we build
-- Jack Handey
More information about the krbdev