So doing a liitle looking around I cane across some options that look interesting, the following options would mean you need to physically have something to login.
yubikey http://www.yubico.com/products/yubikey/ It would require a pam module and for us to setup a server for managing keys. it looks to be fairly low cost. it would implement a 2 facter authentication.
etoken http://www.aladdin.com/etoken/devices/pro-usb.aspx
it moves the public key from your hard drive to something you physically need to have
ubikey is max USD$25 where the etoken is probably at least USD$30. I would think that with yubikey we could work out a deal with them to get a discount in return for us being a case study/prominent user of there product. all of the software for yubikey AFAICT is open source. some of it would require packaging.
Dennis
Date: Mon, 30 Mar 2009 12:57:23 -0500 From: Dennis Gilmore dennis@ausil.us Reply-To: Fedora Infrastructure fedora-infrastructure-list@redhat.com To: Fedora Infrastructure fedora-infrastructure-list@redhat.com Subject: More auth options
So doing a liitle looking around I cane across some options that look interesting, the following options would mean you need to physically have something to login.
yubikey http://www.yubico.com/products/yubikey/ It would require a pam module and for us to setup a server for managing keys. it looks to be fairly low cost. it would implement a 2 facter authentication.
etoken http://www.aladdin.com/etoken/devices/pro-usb.aspx
it moves the public key from your hard drive to something you physically need to have
ubikey is max USD$25 where the etoken is probably at least USD$30. I would think that with yubikey we could work out a deal with them to get a discount in return for us being a case study/prominent user of there product. all of the software for yubikey AFAICT is open source. some of it would require packaging.
Just FYI, Aladdin refused, REFUSED to sell me 4 keys when I attempted to purchase them through CDW because I did have or want to have an Aladdin PKI Console software license. Nevermind that I didn't actually need their Console software or that Red Hat has a PKI management product.
In my opinion, avoid Aladdin even if you can manage to get keys through a tertiary party.
On Mon, Mar 30, 2009 at 2:12 PM, Matthew Galgoci mgalgoci@redhat.com wrote:
Date: Mon, 30 Mar 2009 12:57:23 -0500 From: Dennis Gilmore dennis@ausil.us Reply-To: Fedora Infrastructure fedora-infrastructure-list@redhat.com To: Fedora Infrastructure fedora-infrastructure-list@redhat.com Subject: More auth options
So doing a liitle looking around I cane across some options that look interesting, the following options would mean you need to physically have something to login.
yubikey http://www.yubico.com/products/yubikey/ It would require a pam module and for us to setup a server for managing keys. it looks to be fairly low cost. it would implement a 2 facter authentication.
etoken http://www.aladdin.com/etoken/devices/pro-usb.aspx
it moves the public key from your hard drive to something you physically need to have
ubikey is max USD$25 where the etoken is probably at least USD$30. I would think that with yubikey we could work out a deal with them to get a discount in return for us being a case study/prominent user of there product. all of the software for yubikey AFAICT is open source. some of it would require packaging.
Just FYI, Aladdin refused, REFUSED to sell me 4 keys when I attempted to purchase them through CDW because I did have or want to have an Aladdin PKI Console software license. Nevermind that I didn't actually need their Console software or that Red Hat has a PKI management product.
In my opinion, avoid Aladdin even if you can manage to get keys through a tertiary party.
+1 - Aladdin makes a lot of DRM (for software, not media (that I know of)) stuff too; all the more reason to avoid them.
If Ubikey is supplying an open source stack to go with their hardware that sounds a more logical fit for the Fedora Project, and a more symbiotic relationship.
On Mon, Mar 30, 2009 at 11:57 AM, Dennis Gilmore dennis@ausil.us wrote:
So doing a liitle looking around I cane across some options that look interesting, the following options would mean you need to physically have something to login.
yubikey http://www.yubico.com/products/yubikey/ It would require a pam module and for us to setup a server for managing keys. it looks to be fairly low cost. it would implement a 2 facter authentication.
These do look interesting and maybe better than the S/Key 64 bit key. I remember some bad stories about one of the 'Aladdin' companies (there are quite a few who use that name for security products).. but not sure which.
The bigger question is who can we get some 'professional' opinions from? My crypto math is not good so I could not give an opinion of whether one usage of AES-128 versus another usage was equivalent, better, or worse. I would hate for us to end up with any solution that would end up on Shneier's Snake Oil pages. [I remember one token device that some people I know evaluated a while back that while it stored the key encrypted in AES-128 etc.. it had a register where it stored the unencrypted user token and could be looked at under any OS other than Windows.]
Date: Mon, 30 Mar 2009 12:57:23 -0500 From: Dennis Gilmore dennis@ausil.us Reply-To: Fedora Infrastructure fedora-infrastructure-list@redhat.com To: Fedora Infrastructure fedora-infrastructure-list@redhat.com Subject: More auth options
So doing a liitle looking around I cane across some options that look interesting, the following options would mean you need to physically have something to login.
yubikey http://www.yubico.com/products/yubikey/ It would require a pam module and for us to setup a server for managing keys. it looks to be fairly low cost. it would implement a 2 facter authentication.
etoken http://www.aladdin.com/etoken/devices/pro-usb.aspx
it moves the public key from your hard drive to something you physically need to have
ubikey is max USD$25 where the etoken is probably at least USD$30. I would think that with yubikey we could work out a deal with them to get a discount in return for us being a case study/prominent user of there product. all of the software for yubikey AFAICT is open source. some of it would require packaging.
Dennis,
I know RSA is a bit expensive, but it might be worth thinking about RSA tokens as well. They have a OTP that changes every 60 seconds plus you have to add a PIN as well.
Matt
Dennis Gilmore wrote:
ubikey is max USD$25 where the etoken is probably at least USD$30. I would think that with yubikey we could work out a deal with them to get a discount in return for us being a case study/prominent user of there product. all of the software for yubikey AFAICT is open source. some of it would require packaging.
A friend of mine bought a Yubikey recently and I helped him package up libyubikey-client and pam_yubico. In case anyone wants to look into this and doesn't want to have to start completely from stratch, these spec files might help: http://tmz.fedorapeople.org/specs/
On Mon, 30 Mar 2009, Todd Zullinger wrote:
Dennis Gilmore wrote:
ubikey is max USD$25 where the etoken is probably at least USD$30. I would think that with yubikey we could work out a deal with them to get a discount in return for us being a case study/prominent user of there product. all of the software for yubikey AFAICT is open source. some of it would require packaging.
A friend of mine bought a Yubikey recently and I helped him package up libyubikey-client and pam_yubico. In case anyone wants to look into this and doesn't want to have to start completely from stratch, these spec files might help: http://tmz.fedorapeople.org/specs/
Interesting, if you wouldn't mind having him join the list or blog about his experiences, I'd be interested in reading it.
-Mike
On Mon, Mar 30, 2009 at 12:57:23PM -0500, Dennis Gilmore wrote:
So doing a liitle looking around I cane across some options that look interesting, the following options would mean you need to physically have something to login.
yubikey http://www.yubico.com/products/yubikey/ It would require a pam module and for us to setup a server for managing keys. it looks to be fairly low cost. it would implement a 2 facter authentication.
I've been a big fan of yubikey for a while now. The technology is secure, the hardware is solid, and the source is open.
Aside from their online docs, this podcast was quite informative was well: http://twit.tv/sn143
luke
infrastructure@lists.fedoraproject.org