Date: Tue, 10 Mar 1998 19:57:25 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: Mike Smith <mike@smith.net.au> Cc: Mark Mayo <mark@vmunix.com>, Andrzej Bialecki <abial@nask.pl>, tcobb@staff.circle.net, hackers@FreeBSD.ORG, msmith@FreeBSD.ORG Subject: Re: PAM? Message-ID: <Pine.BSF.3.96.980310195242.17362H-100000@trojanhorse.pr.watson.org> In-Reply-To: <199803110040.QAA20827@dingo.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 10 Mar 1998, Mike Smith wrote: > > Kerberos? > > > > I've been using v4 here for ages, and it works swell. Haven't tried > > v5 (actually don't even know if it's available under FreeBSD). > > Yes. The MIT Krb5 release built cleanly on my 2.2-STABLE machine (to provide some more specifics as to a yes :). > > What do "SecurID tokens" give you that Kerberos doesn't?? Since NT is > > going the way of Kerberos, I'm imagining that in a few years, Kerberos > > style authentication will be all that really matters... :-) > > SecurID uses a physical token (like a credit-card calculator) which > displays a random number which changes every so often. You use the > number as a password. > > Because the server knows the sequence, it can make allowances for time > drift in the cards. Guessing the sequence from a set of sample > passwords is meant to be very difficult. > > This is relatively more secure than Kerberos, but still involves a > "trusted host". One possibility is to use Kerberos as a possible alternative to PAM itself -- any authentication system that uses a shared secret (SecurID might fit into that if the server can predict the secret ahead of time -- I'm not familiar with SecurID) can be patched into the Kerberos server. Now any code compiled to support Kerberos supports (shared secret authentication method of choice). Of course, this is not as complex as SASL which allows a negotiation of authentication, so really only works for a limited set of authentication cards. It does not do challenge/response without the equivilent hacking to support PAM, and it will not handle Public Key authentication where the server cannot predict the secret ahead of time, for example. If SecurID just provides a changing time-based value specific to the user, and the server can reproduce this based on some shared secret between the server and the card, then it should work fine. Robert N Watson Carnegie Mellon University http://www.cmu.edu/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980310195242.17362H-100000>