From owner-freebsd-hackers  Tue Mar 10 16:59:38 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA15646
          for freebsd-hackers-outgoing; Tue, 10 Mar 1998 16:59:38 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA15638;
          Tue, 10 Mar 1998 16:59:31 -0800 (PST)
          (envelope-from robert@cyrus.watson.org)
Received: from trojanhorse.pr.watson.org (trojanhorse.pr.watson.org [192.0.2.10]) by fledge.watson.org (8.8.8/8.6.10) with SMTP id TAA28066; Tue, 10 Mar 1998 19:57:34 -0500 (EST)
Date: Tue, 10 Mar 1998 19:57:25 -0500 (EST)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@trojanhorse.pr.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Mike Smith <mike@smith.net.au>
cc: Mark Mayo <mark@vmunix.com>, Andrzej Bialecki <abial@nask.pl>,
        tcobb@staff.circle.net, hackers@FreeBSD.ORG, msmith@FreeBSD.ORG
Subject: Re: PAM? 
In-Reply-To: <199803110040.QAA20827@dingo.cdrom.com>
Message-ID: <Pine.BSF.3.96.980310195242.17362H-100000@trojanhorse.pr.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, 10 Mar 1998, Mike Smith wrote:

> > Kerberos?  
> > 
> > I've been using v4 here for ages, and it works swell. Haven't tried
> > v5 (actually don't even know if it's available under FreeBSD).
> 
> Yes.

The MIT Krb5 release built cleanly on my 2.2-STABLE machine (to provide
some more specifics as to a yes :).

> > What do "SecurID tokens" give you that Kerberos doesn't?? Since NT is
> > going the way of Kerberos, I'm imagining that in a few years, Kerberos
> > style authentication will be all that really matters... :-)
> 
> SecurID uses a physical token (like a credit-card calculator) which 
> displays a random number which changes every so often.  You use the 
> number as a password.
> 
> Because the server knows the sequence, it can make allowances for time 
> drift in the cards.  Guessing the sequence from a set of sample 
> passwords is meant to be very difficult.
> 
> This is relatively more secure than Kerberos, but still involves a 
> "trusted host".

One possibility is to use Kerberos as a possible alternative to PAM itself
-- any authentication system that uses a shared secret (SecurID might fit
into that if the server can predict the secret ahead of time -- I'm not
familiar with SecurID) can be patched into the Kerberos server.  Now any
code compiled to support Kerberos supports (shared secret authentication
method of choice). 

Of course, this is not as complex as SASL which allows a negotiation of
authentication, so really only works for a limited set of authentication
cards.  It does not do challenge/response without the equivilent hacking
to support PAM, and it will not handle Public Key authentication where the
server cannot predict the secret ahead of time, for example.  If SecurID
just provides a changing time-based value specific to the user, and the
server can reproduce this based on some shared secret between the server
and the card, then it should work fine.

  Robert N Watson 

Carnegie Mellon University http://www.cmu.edu/
SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org   http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message