Date: Mon, 30 Mar 2009 12:57:23 -0500 From: Dennis Gilmore dennis@ausil.us Reply-To: Fedora Infrastructure fedora-infrastructure-list@redhat.com To: Fedora Infrastructure fedora-infrastructure-list@redhat.com Subject: More auth options

So doing a liitle looking around I cane across some options that look interesting, the following options would mean you need to physically have something to login.

yubikey http://www.yubico.com/products/yubikey/ It would require a pam module and for us to setup a server for managing keys. it looks to be fairly low cost. it would implement a 2 facter authentication.

etoken http://www.aladdin.com/etoken/devices/pro-usb.aspx

it moves the public key from your hard drive to something you physically need to have

ubikey is max USD$25 where the etoken is probably at least USD$30. I would think that with yubikey we could work out a deal with them to get a discount in return for us being a case study/prominent user of there product. all of the software for yubikey AFAICT is open source. some of it would require packaging.

Just FYI, Aladdin refused, REFUSED to sell me 4 keys when I attempted to purchase them through CDW because I did have or want to have an Aladdin PKI Console software license. Nevermind that I didn't actually need their Console software or that Red Hat has a PKI management product.

In my opinion, avoid Aladdin even if you can manage to get keys through a tertiary party.

On Mon, Mar 30, 2009 at 11:57 AM, Dennis Gilmore dennis@ausil.us wrote:

So doing a liitle looking around I cane across some options that look interesting,  the following options would mean you need to physically have something to login.

yubikey http://www.yubico.com/products/yubikey/ It would require a pam module and for us to setup a server for managing keys. it looks to be fairly low cost.   it would implement a 2 facter authentication.

etoken http://www.aladdin.com/etoken/devices/pro-usb.aspx

These do look interesting and maybe better than the S/Key 64 bit key. I remember some bad stories about one of the 'Aladdin' companies (there are quite a few who use that name for security products).. but not sure which.

The bigger question is who can we get some 'professional' opinions from? My crypto math is not good so I could not give an opinion of whether one usage of AES-128 versus another usage was equivalent, better, or worse. I would hate for us to end up with any solution that would end up on Shneier's Snake Oil pages. [I remember one token device that some people I know evaluated a while back that while it stored the key encrypted in AES-128 etc.. it had a register where it stored the unencrypted user token and could be looked at under any OS other than Windows.]

Dennis Gilmore wrote:

ubikey is max USD$25 where the etoken is probably at least USD$30. I would think that with yubikey we could work out a deal with them to get a discount in return for us being a case study/prominent user of there product. all of the software for yubikey AFAICT is open source. some of it would require packaging.

A friend of mine bought a Yubikey recently and I helped him package up libyubikey-client and pam_yubico. In case anyone wants to look into this and doesn't want to have to start completely from stratch, these spec files might help: http://tmz.fedorapeople.org/specs/

On Mon, Mar 30, 2009 at 12:57:23PM -0500, Dennis Gilmore wrote:

So doing a liitle looking around I cane across some options that look interesting, the following options would mean you need to physically have something to login.

yubikey http://www.yubico.com/products/yubikey/ It would require a pam module and for us to setup a server for managing keys. it looks to be fairly low cost. it would implement a 2 facter authentication.

I've been a big fan of yubikey for a while now. The technology is secure, the hardware is solid, and the source is open.

Aside from their online docs, this podcast was quite informative was well: http://twit.tv/sn143

luke