Feasibility of RSA SecurID for a SOHO? - BSD

This is a discussion on Feasibility of RSA SecurID for a SOHO? - BSD ; I'd like to implement RSA SecurID tags along with my OpenSSH passphrase-protected public key logins. How feasible is this? The software to do it appears to be a free download as a PAM module. Where does one obtain the SecurID ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Feasibility of RSA SecurID for a SOHO?

  1. Feasibility of RSA SecurID for a SOHO?

    I'd like to implement RSA SecurID tags along with my OpenSSH
    passphrase-protected public key logins. How feasible is this? The
    software to do it appears to be a free download as a PAM module. Where
    does one obtain the SecurID authenticator tokens from?


  2. Not really an option

    OpenBSD is not supported b
    RSA SecurID
    so you cannot use the official modules from their free download we
    site

    To do a SecurID deployment you need a server (usually runs on Solari
    or MS-Windows), plus tokens. None of this comes cheap, and whil
    they have turnkey appliances, they're really tuned for the site wit
    at least a dozen token accounts. Once you have that, you can use th
    included RADIUS authentication service and the RADIUS module i
    OpenBSD

    But not to fear, OpenBSD includes a free one-time-password syste
    called S/Key, already integrated into the OS. man skeyinit


  3. Re: Not really an option

    Nonesuch wrote:
    > OpenBSD is not supported by
    > RSA SecurID,
    > so you cannot use the official modules from their free download web
    > site.
    >
    > To do a SecurID deployment you need a server (usually runs on Solaris
    > or MS-Windows), plus tokens. None of this comes cheap, and while
    > they have turnkey appliances, they're really tuned for the site with
    > at least a dozen token accounts. Once you have that, you can use the
    > included RADIUS authentication service and the RADIUS module in
    > OpenBSD.
    >
    > But not to fear, OpenBSD includes a free one-time-password system
    > called S/Key, already integrated into the OS. man skeyinit.


    On the other hand, this system has some flaws which RSA's product does
    not have, or to a lesser extent; in particular, intercepting the traffic
    and returning a 'login failed' message is not quite as effective as with
    S/Key.

    (The above is not that much of a problem when using sshd, as the server
    will be verified; but it is a problem when using it with a less secure
    protocol, such as FTP.)

    That said, RSA wants a good chunk of cash for its services. There are
    some alternatives in base; look at, for instance, S/Key, but also the
    other options: `man -k login_'.

    Joachim

+ Reply to Thread