>> A. Haxby writes:
>> 1./ We would like to improve our security by using secure-id cards for
>> one-time passwords. Has anyone managed to use secure-id cards with the
>> AFS version of kerberos? Is anyone using secure-id cards at all?
>
>I looked *very* briefly into this. I gave up when I found that
>the secure-id stuff is sort of "properietary", and it looked like
>it would be difficult to get useful information on it. Here's
>the catch: there needs to be a machine that that can (1) predict
>the secure-ID keys, and (2) somehow has access to AFS keys to
>make tickets. In greater detail: it seems that as generally
>implemented, the secure-ID system uses software that runs (at
>least at the UofM) on an IBM mainframe that knows the secure-ID
>algorithm and must also use some sort of table that contains per-card
>seed data.
With all due respect, I don't think you looked at this very hard :-)
We use SecurID extensively here, and we definately do not have any
IBM mainframes. I am actually rather surprised that the SecurID server
_runs_ on an IBM mainframe, but hey ... wherever the money is, right? :-)
>I was discouraged enough at this point to give up efforts
>to find out more details. If there were a workstation implementation
>of the server side, this might be feasible, which brings us
>to part 2.
We run the SecurID server on our SunOS 4.1.3_U1 machines. You can get
varying percentages of the source code to the SecurID server, from linkable
client libraries you can incorporate into your API, on up. I _think_
you can even get the source code to the server if you're willing to
sign an NDA and spend the money, but I'm not really sure.
>If the only goal is to have it authenticate to AFS, then
>all that's needed is a service ticket for AFS. If you know the key of
>afs.@CELL-NAME, you can easily make (or "forge") service tickets - and
>any machine that is either a fileserver or a database server in fact
>has the key for AFS readily accessible - that's what's stored in
>/usr/afs/etc/KeyFile.
In answer to the original poster's question - we don't use SecurID at all
for access to AFS - we use it for access to root accounts. I think that
once Kerberos V5 beta 6 comes out (and assuming that this release actually
works), I am going to sit down and look at the integration of SecurID
and Kerberos more closely. I've seen on comp.protocols.kerberos that other
groups have done some work on this, so I'm hoping to use what someone
else has done by then.
--Ken
