[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Security tokens

To: Chuck Yerkes <chuck+sage@snew.com>
Subject: Re: [SAGE] Security tokens
From: Jim Hickstein <jxh@jxh.com>
Date: Mon, 20 Jan 2003 13:16:14 -0800
cc: sage-members@sage.org
In-Reply-To: <20030120205201.GA4787@snew.com>
References: <200301201949.LAA07068@plxw0026.pdx.intel.com><10830000.1043093780@jxh.mirapoint.com> <20030120205201.GA4787@snew.com>
Sender: owner-sage-members@usenix.org

> Given those goals, you might simply require ssh with a key,
> no passwords allowed at all.
>
> Or Kerberos.  Or both :)

I also need to permit inward access to a VPN box (Cisco 3000, currently 
using NT domain auth), a mail server (can do Kerberos, actually), and a web 
server (currently using Basic-Auth to LDAP).

Plus, key-only is dashed inconvenient when you're coming from a novel 
place.  We don't let most people get a full shell on that host, so we'd 
have to be manipulating their authorized_keys files for them, or write 
software, or relax that restriction.  *sigh*  Plus, the SSH users are the 
least of my worries.

> I picked up one of those USB storage units ($4 after rebate,
> purely for toy factor) and am looking at keepings keys and what
> not on THAT so it's portable with me.  Cons include that it would
> need to be mounted on whatever machine I'm at.

Same with the crypto iButton.  Cute, but fingers and eyes are all that's 
needed to operate the typical token, and those are already present, and not 
my problem to support.

> The device, an SNK-4 now owned by Raptor, last I looked, still
> works after 7 years, cost me $35 each for 3.  I know there are
> software versions available and other calculators.

I used to use these, as well.  Does anyone have a link to _modern_ software 
for a server?  Who does the client integration if there's no revenue for 
it?  (Or are standards like GSSAPI(??)/RADIUS/LDAP/whatever now so advanced 
that clients don't need special hooks any more?)  This is how SecureID used 
to make their sales: box X only worked with their stuff.

> The final part is a strong policy about sharing secret information
> like passwords.  Tell someone your password, your belonging can
> be picked up at the loading dock at 4.

If I could achieve that, I would do it first.  It's actually easier than 
what I'm proposing.  But politically, I can't.

> It was so secure, they couldn't change the root password for this
> machine for 2 days because they were all the same on all the
> machines.  It was so secure that you needed privs to print from
> certain machines, so they all told each other their passwords to
> do these basic functions.  And they never saw that their security
> was close to nil for all their measures.

Some outfits I visit won't let you _out_ across their firewall without 
authenticating.  (I'm sure this is good practice, if you can afford a team 
of 5 staff full-time to wrangle your firewall.)  One wouldn't -- couldn't 
-- permit it unless I was running Windows.  (That's just stupid.)

I don't have a lot of time to waste on all this.  I run a pretty 
laissez-faire firewall, in the name of being able to sleep at night and get 
some other work done.  But the password-sharing culture is a bitch.  (Fix 
the president of the company, and all else becomes possible.)  Tokens may 
help.  I need to explore them fully.

Follow-Ups:
- Re: [SAGE] Security tokens
  - From: "Mark D. Roth" <roth@feep.net>

References:
- Re: [SAGE] Security tokens
  - From: Steve Willoughby <steve@ichips.intel.com>
- Re: [SAGE] Security tokens
  - From: Jim Hickstein <jxh@jxh.com>
- Re: [SAGE] Security tokens
  - From: Chuck Yerkes <chuck+sage@snew.com>

Prev by Date: Re: [SAGE] Security tokens
Next by Date: Re: [SAGE] Security tokens
Prev by thread: Re: [SAGE] Security tokens
Next by thread: Re: [SAGE] Security tokens
Index(es):
- Date
- Thread