Building a Centralized Authentication Server
Hi all, I need to develop a secure way for our staff/outside contractors to be able to securely connect (via SSH - rdesktop/vnc in the future) to our internal and customer systems. We do need heterogeneous client system support (BSD, Linux, Solaris, Windows, etc..?) with whatever solution is deployed. The more time I have spent with this the more I believe that we need some sort of SSO (Single Sign On) solution (something that supports a hardware key token like RSA would be great). This is complicated by the perceived requirement to install software on our customer's systems to support this kind of integration. As a stop gap I have been thinking about creating a dedicated user account on a centralized server, creating SSH keys and pushing the public key out to the remote systems for passwordless logins. Internal users would connect to this system, sudo to the other account and then SSH (with the added feature of being able to execute script and log the session). The goal behind all of this of course is to provide secure connectivity to remote systems in such a way that passwords to the remote systems are not being disseminated to our internal users - so if a user's employment status changes we don't have to run through the crazy password change scramble. I pose this question to this list because of all places on the Internet I know OpenBSD users to be the most paranoid with security and simple/elegant solutions which is exactly what I need here. Am I over thinking this problem? What would you recommend. Thanks in advance, Max
Re: Building a Centralized Authentication Server
Max Clark wrote: Hi all, I need to develop a secure way for our staff/outside contractors to be able to securely connect (via SSH - rdesktop/vnc in the future) to our internal and customer systems. We do need heterogeneous client system support (BSD, Linux, Solaris, Windows, etc..?) with whatever solution is deployed. The more time I have spent with this the more I believe that we need some sort of SSO (Single Sign On) solution (something that supports a hardware key token like RSA would be great). This is complicated by the perceived requirement to install software on our customer's systems to support this kind of integration. Google for, amongst others: Radius, Diameter, TACACS+ etc etc... A single portal indeed might be a useful method. Do not forget to create a failover system though, as when your main box dies you can't access anything else anymore. The goal behind all of this of course is to provide secure connectivity to remote systems in such a way that passwords to the remote systems are not being disseminated to our internal users - so if a user's employment status changes we don't have to run through the crazy password change scramble. And then the evil user simply drops a backdoor binary on one of the machines. Greets, Jeroen [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Building a Centralized Authentication Server
On 6/3/07, Jeroen Massar [EMAIL PROTECTED] wrote: And then the evil user simply drops a backdoor binary on one of the machines. Sure there is only so much you can do. We have to give some level of trust to the user, this of course has to be balanced by an appropriate level of prudence on our part. I am just looking for a solution for the 95-99% of the users - that last 1-5% has to be dealt with in a different manner (i.e. the FBI if they are that stupid). -Max