Feasibility of RSA SecurID for a SOHO?

Printable View

10-04-2007, 02:19 AM
unix

Feasibility of RSA SecurID for a SOHO?

I'd like to implement RSA SecurID tags along with my OpenSSH
passphrase-protected public key logins. How feasible is this? The
software to do it appears to be a free download as a PAM module. Where
does one obtain the SecurID authenticator tokens from?
10-04-2007, 02:19 AM
unix

Not really an option

OpenBSD is not supported b
RSA SecurID
so you cannot use the official modules from their free download we
site

To do a SecurID deployment you need a server (usually runs on Solari
or MS-Windows), plus tokens. None of this comes cheap, and whil
they have turnkey appliances, they're really tuned for the site wit
at least a dozen token accounts. Once you have that, you can use th
included RADIUS authentication service and the RADIUS module i
OpenBSD

But not to fear, OpenBSD includes a free one-time-password syste
called S/Key, already integrated into the OS. man skeyinit
10-04-2007, 02:20 AM
unix

Re: Not really an option

Nonesuch <kkadow@gmail-dot-com.no-spam.invalid> wrote:[color=blue]
> OpenBSD is not supported by
> RSA SecurID,
> so you cannot use the official modules from their free download web
> site.
>
> To do a SecurID deployment you need a server (usually runs on Solaris
> or MS-Windows), plus tokens. None of this comes cheap, and while
> they have turnkey appliances, they're really tuned for the site with
> at least a dozen token accounts. Once you have that, you can use the
> included RADIUS authentication service and the RADIUS module in
> OpenBSD.
>
> But not to fear, OpenBSD includes a free one-time-password system
> called S/Key, already integrated into the OS. man skeyinit.[/color]

On the other hand, this system has some flaws which RSA's product does
not have, or to a lesser extent; in particular, intercepting the traffic
and returning a 'login failed' message is not quite as effective as with
S/Key.

(The above is not that much of a problem when using sshd, as the server
will be verified; but it is a problem when using it with a less secure
protocol, such as FTP.)

That said, RSA wants a good chunk of cash for its services. There are
some alternatives in base; look at, for instance, S/Key, but also the
other options: `man -k login_'.

Joachim