Re: Smartcard and non-password methods (was Re: Password repository)
If memory serves me right, Randy Bush wrote: > is there a freebsd pam tacacs+ hack? Yep. Haven't actually used it though. PAM_TACPLUS(8) FreeBSD System Manager's Manual PAM_TACPLUS(8) NAME pam_tacplus -- TACACS+ authentication PAM module Bruce. signature.asc Description: OpenPGP digital signature
Re: Smartcard and non-password methods (was Re: Password repository)
On Sat, Nov 21, 2009 at 10:45 PM, Scott Howard wrote: > On Sat, Nov 21, 2009 at 6:38 AM, John Levine wrote: > >> > Are passwords still the only lowest-common-denominator? >> >> There's OpenID, where a provider can use any verification process it >> wants, but all the OpenID providers I know use ordinary passwords. >> > > http://yubico.com/developers/openid/ > > I'm currently trialing Yubico's for access to a number of Unix systems (via > PAM), and they seem to work very well. Haven't played around with the +1 for yubico's simplicity to setup/use. They also support a 'run your own auth server' model, so if you've got a closed system you don't have to find a way to sneak out http/s links to yubico-land. > OpenID support, so I can't comment on if/how well it works. I have not used their openid support either... but it looks promising. -Chris
Re: Smartcard and non-password methods (was Re: Password repository)
On Sat, 21 Nov 2009, Joel Jaeggli wrote: Since this plays nicely with eap-tls, 802.1x. ike, ssl/tls, and s/mime it seems like a shoe-in, once you have a uniform authentication system one is inclined to use it for everything. obviously being involved in several of these with with multiple ca's is something of a pain in the ass if it involves juggling 2 or more tokens instead of passwords. (which are already a problem if you have to trach quite a few non-overlapping ones. Yep, there are lots of potential technologies out there. I've also implemented several on your list. I'm trying to stay neutral about the technology, as long as it works. I suppose my question was more about market share/mind share. Figure out where everyone else is already go, and then get in front of that :-). So where is the market going beyond passwords?
Re: Smartcard and non-password methods (was Re: Password repository)
cards and tokens are a proxy for the use of a certificate authentication system... You can in fact do certificate auth without the use of cards or tokens or mix and match physical tokens and other private key storage depending on need with the same authentication backend (typically ldap). Since this plays nicely with eap-tls, 802.1x. ike, ssl/tls, and s/mime it seems like a shoe-in, once you have a uniform authentication system one is inclined to use it for everything. obviously being involved in several of these with with multiple ca's is something of a pain in the ass if it involves juggling 2 or more tokens instead of passwords. (which are already a problem if you have to trach quite a few non-overlapping ones. Typically tokens continue to require passwords or some other method to unlock them for use, effectively making them two factor (secret+physical possession) Sean Donelan wrote: > > Are any network providers supporting smartcards or other non-password > based authentication methods? Passwords always end up blaming the user > for choosing/not remembering good passwords instead of blaming the > technology for choosing/not doing things so the user isn't forced to > work around its flaws. > > I know about the DOD Common Access Card. One-time code-generator tokens > seem more widely used by single enterprises. But inter-operable > credentials still seem to be one of those great unsolved problems for > compter security. Are passwords still the only lowest-common-denominator? > >
Re: Smartcard and non-password methods (was Re: Password repository)
is there a freebsd pam tacacs+ hack? randy
Re: Smartcard and non-password methods (was Re: Password repository)
On Sat, Nov 21, 2009 at 6:38 AM, John Levine wrote: > > Are passwords still the only lowest-common-denominator? > > There's OpenID, where a provider can use any verification process it > wants, but all the OpenID providers I know use ordinary passwords. > http://yubico.com/developers/openid/ I'm currently trialing Yubico's for access to a number of Unix systems (via PAM), and they seem to work very well. Haven't played around with the OpenID support, so I can't comment on if/how well it works. Scott.
Re: Smartcard and non-password methods (was Re: Password repository)
On Sat, Nov 21, 2009 at 04:58:27PM -0500, Jeffrey Lyon wrote: > So it works as a standalone password vault also? I don't know. My only experience with it has been as an OpenID endpoint/provider/whatever, and it was on that basis that I replied originally. - Matt
Re: Smartcard and non-password methods (was Re: Password repository)
So it works as a standalone password vault also? Jeff On Sat, Nov 21, 2009 at 4:55 PM, Matthew Palmer wrote: > On Sat, Nov 21, 2009 at 04:06:48PM -0500, Jeffrey Lyon wrote: >> I was pretty excited about this post until I found out that myvidoop >> only works on older version of FF. > > I can only find something about the plugin not working on FF 3.5, but I > don't use the plugin since I only use it as an OpenID endpoint. I can't > imagine how the main site wouldn't work in FF 3.5 -- it's just a bit of > javascripty fluff. > > - Matt > > -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to "protect your booty."
Re: Smartcard and non-password methods (was Re: Password repository)
On Sat, Nov 21, 2009 at 04:06:48PM -0500, Jeffrey Lyon wrote: > I was pretty excited about this post until I found out that myvidoop > only works on older version of FF. I can only find something about the plugin not working on FF 3.5, but I don't use the plugin since I only use it as an OpenID endpoint. I can't imagine how the main site wouldn't work in FF 3.5 -- it's just a bit of javascripty fluff. - Matt
Re: Smartcard and non-password methods (was Re: Password repository)
I was pretty excited about this post until I found out that myvidoop only works on older version of FF. Jeff On Sat, Nov 21, 2009 at 12:31 PM, Matthew Palmer wrote: > On Sat, Nov 21, 2009 at 02:38:32PM -, John Levine wrote: >> > Are passwords still the only lowest-common-denominator? >> >> There's OpenID, where a provider can use any verification process it >> wants, but all the OpenID providers I know use ordinary passwords. > > myvidoop.com does OpenID auth based on pictures. It's... interesting to > use. > > - Matt > > -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to "protect your booty."
Re: Smartcard and non-password methods (was Re: Password repository)
[Sightly off-topic - solution specific] Some European countries have long figured out logistics of smartcard distribution and management in their healthcare systems - some being at the second generation, already. In fact this is a subject "dear" to my heart, as I've researched and attempted a proposal for such systems for a few disparate businesses (with possible extension into eHR), based on a model similar to the one of SSL certificates authority (i.e third party management of authentication, with some very neat federated solution), but nobody seems to care Moral? It's been done and it works. Good luck with selling such. Stefan On 11/21/09, Adam Stasiniewicz wrote: > Sadly, passwords are the least common denominator. The biggest problems > with 2 factor devices (smart cards, OTPs, etc) is having to buy, configure, > and distribute them; plus get them to work with all the myriad of > applications. > > Certificates that are issued to computers/web browsers suffer from a lack of > portability (i.e. by design, the user shouldn't be able to export and share > the certificate with anyone they want). Plus with any solution using > certificates (client or smart card) a substantial reconfiguration is > required to support websites/applications being able to process certificate > logons. > > IMHO, even though OTPs are the less secure of the two types of two-factor > products, I see them growing faster than any other method. From an end-user > perspective, they are small/portable, don't require a reader, and don't > require any special OS, web browser, or software. For an infrastructure > perspective, it is easier to convert a website to support OTPs (simply > change the function that runs the password validation; instead of having to > install and configure a special module/component that would handle the > mutual auth required by certificates). Also, many of the OTP vendors are > working on making their products function more easily cross platform (while > with smart cards, you are basically stuck with either the Microsoft's > corporate/non-service provider friendly solution, or have to code your own). > > > My $0.02, > Adam Stasiniewicz > > > -Original Message- > From: Sean Donelan [mailto:s...@donelan.com] > Sent: Friday, November 20, 2009 5:43 PM > To: nanog@nanog.org > Subject: Smartcard and non-password methods (was Re: Password repository) > > > Are any network providers supporting smartcards or other non-password > based authentication methods? Passwords always end up blaming the > user for choosing/not remembering good passwords instead of blaming the > technology for choosing/not doing things so the user isn't forced to > work around its flaws. > > I know about the DOD Common Access Card. One-time code-generator tokens > seem more widely used by single enterprises. But inter-operable > credentials still seem to be one of those great unsolved problems for > compter security. Are passwords still the only lowest-common-denominator? > > > > -- Sent from my mobile device ***Stefan Mititelu http://twitter.com/netfortius http://www.linkedin.com/in/netfortius
RE: Smartcard and non-password methods (was Re: Password repository)
Sadly, passwords are the least common denominator. The biggest problems with 2 factor devices (smart cards, OTPs, etc) is having to buy, configure, and distribute them; plus get them to work with all the myriad of applications. Certificates that are issued to computers/web browsers suffer from a lack of portability (i.e. by design, the user shouldn't be able to export and share the certificate with anyone they want). Plus with any solution using certificates (client or smart card) a substantial reconfiguration is required to support websites/applications being able to process certificate logons. IMHO, even though OTPs are the less secure of the two types of two-factor products, I see them growing faster than any other method. From an end-user perspective, they are small/portable, don't require a reader, and don't require any special OS, web browser, or software. For an infrastructure perspective, it is easier to convert a website to support OTPs (simply change the function that runs the password validation; instead of having to install and configure a special module/component that would handle the mutual auth required by certificates). Also, many of the OTP vendors are working on making their products function more easily cross platform (while with smart cards, you are basically stuck with either the Microsoft's corporate/non-service provider friendly solution, or have to code your own). My $0.02, Adam Stasiniewicz -Original Message- From: Sean Donelan [mailto:s...@donelan.com] Sent: Friday, November 20, 2009 5:43 PM To: nanog@nanog.org Subject: Smartcard and non-password methods (was Re: Password repository) Are any network providers supporting smartcards or other non-password based authentication methods? Passwords always end up blaming the user for choosing/not remembering good passwords instead of blaming the technology for choosing/not doing things so the user isn't forced to work around its flaws. I know about the DOD Common Access Card. One-time code-generator tokens seem more widely used by single enterprises. But inter-operable credentials still seem to be one of those great unsolved problems for compter security. Are passwords still the only lowest-common-denominator?
Re: Smartcard and non-password methods (was Re: Password repository)
On Sat, Nov 21, 2009 at 02:38:32PM -, John Levine wrote: > > Are passwords still the only lowest-common-denominator? > > There's OpenID, where a provider can use any verification process it > wants, but all the OpenID providers I know use ordinary passwords. myvidoop.com does OpenID auth based on pictures. It's... interesting to use. - Matt
Re: Smartcard and non-password methods (was Re: Password repository)
John Levine wrote: Are passwords still the only lowest-common-denominator? There's OpenID, where a provider can use any verification process it wants, but all the OpenID providers I know use ordinary passwords. Yeah, and every ISP would probably use key authentication, except there's not a simple distribution method for the multitude of ways clients might connect and handling temporary issues such as a customer connecting from a public site via webmail. So if a customer needs a password to retrieve or unlock a cert, they see no reason for a cert. This shows in the limited support for client certificates in standard software. Due to the limited support and increased overhead in supporting getting a client cert installed, they end up not being used. The same could be said for other protocols, though. Kerberos rocks, even does good with M$ networks, but there is no click and have fun kerberos support that I've seen for ISP networks. On the other hand, even with a very hands free implementation, I'm sure people would complain "but I want to let my son authenticate to this with my username/password, but not have access to this." Obviously, such a problem is best solved with "son" having his own auth, which may have different resources than the parent's, which is easily maintained and billable based on the resources actually required (see any number of Profile setups on fee based services; ie, netflix). Jack (off topic, and annoyed with the way we do things today)
Re: Smartcard and non-password methods (was Re: Password repository)
> Are passwords still the only lowest-common-denominator? There's OpenID, where a provider can use any verification process it wants, but all the OpenID providers I know use ordinary passwords. R's, John
Smartcard and non-password methods (was Re: Password repository)
Are any network providers supporting smartcards or other non-password based authentication methods? Passwords always end up blaming the user for choosing/not remembering good passwords instead of blaming the technology for choosing/not doing things so the user isn't forced to work around its flaws. I know about the DOD Common Access Card. One-time code-generator tokens seem more widely used by single enterprises. But inter-operable credentials still seem to be one of those great unsolved problems for compter security. Are passwords still the only lowest-common-denominator?
Re: Password repository
On Thu, 19 Nov 2009, John Adams wrote: I'm a big fan of 1password, but I'm on mac and iPhone. I'll second that. 1Password truly is fabulous, though it's strength is the Auto-website login feature with a hotkey. When in your browser, Command+Option+\, type some characters of the site or description, hit enter, and it opens your default browser, goes to the site and logs you in. Integrates on all browsers: Safari, Firefox, Opera and others. Supports secure notes, has a well designed strong password generator, can be synced over the network to multiple other computers via Dropbox (or whatever you want to use, rsync works too), and has great integration with the iPhone as well as a browser-based client for use on non-Mac computers. If you are not using a Mac, or are using a mixed bag of operating systems, 1Password is probably not best. --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Password repository
Pierre-Yves Maunier wrote: >Jay Nakamura wrote: >> Quick question, does anyone have software/combination of tools they >> recommend on centrally store various passwords securely? >> >> Thanks. >> >> >I use opensource, multiplatforms softwares : > >Keepass password file in a truecrypt container and it works as heaven >and securely. > >Keepass for Windows : http://www.keepass.info/ >Keepass for Linux/Mac OS : http://www.keepassx.org/ > >Truecrypt (all platforms) : http://www.truecrypt.org/ > > >Pierre-Yves Maunier > >
Re: Password repository
I'm a big fan of 1password, but I'm on mac and iPhone. Sent from my iPhone On Nov 19, 2009, at 23:36, Pierre-Yves Maunier wrote: Jay Nakamura wrote: Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks. I use opensource, multiplatforms softwares : Keepass password file in a truecrypt container and it works as heaven and securely. Keepass for Windows : http://www.keepass.info/ Keepass for Linux/Mac OS : http://www.keepassx.org/ Truecrypt (all platforms) : http://www.truecrypt.org/ Pierre-Yves Maunier
Re: Password repository
Jay Nakamura wrote: Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks. I use opensource, multiplatforms softwares : Keepass password file in a truecrypt container and it works as heaven and securely. Keepass for Windows : http://www.keepass.info/ Keepass for Linux/Mac OS : http://www.keepassx.org/ Truecrypt (all platforms) : http://www.truecrypt.org/ Pierre-Yves Maunier
Re: Password repository
I'm not sure if your only considering free software, but if not take a look at password manager pro. http://www.manageengine.com/products/passwordmanagerpro/download.html Dan On Nov 19, 2009, at 10:53 AM, Dan Young wrote: On Wed, Nov 18, 2009 at 10:34 PM, Randy Bush wrote: Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? ascii text file, gpg encrypted, only opened with emacs crypt++.el Or if you prefer vim there is the gnupg.vim plugin: http://www.vim.org/scripts/script.php?script_id=661 :-P -- Dan Young Multnomah ESD - Technology Services 503-257-1562
Re: Password repository
On Wed, Nov 18, 2009 at 10:34 PM, Randy Bush wrote: >> Quick question, does anyone have software/combination of tools they >> recommend on centrally store various passwords securely? > > > > ascii text file, gpg encrypted, only opened with emacs crypt++.el Or if you prefer vim there is the gnupg.vim plugin: http://www.vim.org/scripts/script.php?script_id=661 :-P -- Dan Young Multnomah ESD - Technology Services 503-257-1562
RE: Password repository
I've used phpchain in the past. It's a freeware you can get off of sourceforge. It runs on a PHP server and stores the passwords per user, blowfish encrypted. It hasn't been updated in a while, but I found it simple, rather helpful, and easy to install and manage. Jeff -Original Message- From: Jay Nakamura [mailto:zeusda...@gmail.com] Sent: Wednesday, November 18, 2009 10:57 PM To: NANOG Subject: Password repository Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks.
RE: Password repository
I offer a free service: Send me all your passwords via encrypted email and I promise to keep them safe for you :-) Ok, kidding aside we also use KeePass... On Wed, Nov 18, 2009 at 10:56 PM, Jay Nakamura wrote: > Quick question, does anyone have software/combination of tools they > recommend on centrally store various passwords securely? > > Thanks. > http://slash128.com
Re: Password repository
All, I wasn't expecting the number of suggestions I got! Thanks all. It looks like keepass is the popular choice by many. We are looking into that. And those that suggested RADIUS, yes, I am moving towards that direction for what can be moved to the RADIUS direction. However, we also managed so many customer's equipment/web site contents/application/networks as well that we can't use RADIUS in those instances. Again, I appreciate having this list to get ideas on various issues I face everyday. On Wed, Nov 18, 2009 at 10:56 PM, Jay Nakamura wrote: > Quick question, does anyone have software/combination of tools they > recommend on centrally store various passwords securely? > > Thanks. >
Re: Password repository
Don't recall if it was mention but we use a nice little app called MyPMS http://lvoware.com/. Put it on an internal system and then people have to access via a VPN connection to browse into it. That way if a person is no longer with the company, then their VPN has been turned off and they don't have access to it anymore. The reason I like the app is it's OS agnostic for the end user and keeps the data in an SQL DB. On Thu, 2009-11-19 at 14:07 +, gordon b slater wrote: > On Wed, 2009-11-18 at 20:49 -0800, Darren Bolding wrote: > > Pwman > > ...which has the HUGE advantage of being CLI (so useable over SSH > sessions from network devices) and has tagging for searching large > databases of passes. pwman3 is current version. For most OSs. > I've even used it looped through a multitude of nested VTY+SSH+screen > sessions - one of which was a Dropbear sshd and client on a 20$ plastic > CPE - to save my sorry *ss > > For GUIs:- > Keepassx for most OSs, and Keepass2.x on MS Windows > Password Gorilla is a nice one for end-users, most OSs > > Bruce's Passwordsafe format is a somewhat de-facto standard for > import/export. Keepass can do a lot of conversion for you. > Some shops use rsync top distribute the masters and set them readonly at > filesystem - level though this tends to preclude regular rotation and > updating. > > Beware that some of the commercial offerings are trivially broken or > otherwise borked for "work" use. ymmv > > Whatever you use dump the file to a flat file (crypted of course) and > save a statically linked version of the app for those "wow - what > password app did we use way back in 2001?" moments. > > Print a copy every month or so and store securely offsite too - all the > usual caveats apply. Once you have a super-duper app for them you tend > to crank the pw complexity up to a level where no-one can remember > anything nor even recognise regular ones; it's mainly cut and paste, > especially if you use X. > > > Unless of course, the OP meant RADIUS pulling on LDAP, PAM, etc ? > > Gord > > -- > rommon 3 > You have reached the gateway of last resort. Abandon hope all > ye who press enter here > > >
Re: Password repository
On Wed, 2009-11-18 at 20:49 -0800, Darren Bolding wrote: > Pwman ...which has the HUGE advantage of being CLI (so useable over SSH sessions from network devices) and has tagging for searching large databases of passes. pwman3 is current version. For most OSs. I've even used it looped through a multitude of nested VTY+SSH+screen sessions - one of which was a Dropbear sshd and client on a 20$ plastic CPE - to save my sorry *ss For GUIs:- Keepassx for most OSs, and Keepass2.x on MS Windows Password Gorilla is a nice one for end-users, most OSs Bruce's Passwordsafe format is a somewhat de-facto standard for import/export. Keepass can do a lot of conversion for you. Some shops use rsync top distribute the masters and set them readonly at filesystem - level though this tends to preclude regular rotation and updating. Beware that some of the commercial offerings are trivially broken or otherwise borked for "work" use. ymmv Whatever you use dump the file to a flat file (crypted of course) and save a statically linked version of the app for those "wow - what password app did we use way back in 2001?" moments. Print a copy every month or so and store securely offsite too - all the usual caveats apply. Once you have a super-duper app for them you tend to crank the pw complexity up to a level where no-one can remember anything nor even recognise regular ones; it's mainly cut and paste, especially if you use X. Unless of course, the OP meant RADIUS pulling on LDAP, PAM, etc ? Gord -- rommon 3 > You have reached the gateway of last resort. Abandon hope all ye who press enter here smime.p7s Description: S/MIME cryptographic signature
RE: Password repository
We have used Password Manager XP for quite some time. It supports different user roles, allows security to be set per folder, the encryption levels it supports are insane, and it allows for a "database password" and then user level authentication (which can be tied to NT authentication from the workstation). They also have a client for windows mobile devices. The client also runs in wine exceptionally well. You can configure it to do form filling, and you can define password expiration dates and it will remind you that passwords need changed. Also supports the ability to define a database log, so that all changes can be sent off to a log server. You can also add pretty detailed descriptions to the entry, and you can tie files into the entry as well. Works great for attaching a private key for access to servers via SSH. All of the displayed fields inside of each folder are completely customizable and quite easy to change. It supports multiple users pretty well, however we have had to restore the database from backups once when a user was writing to the database over SSLVPN and the connection dropped. We have used it with a max of about 20 people and it worked great for that number, however as your database gets larger and larger it does take a while to make some changes. -Original Message- From: Jay Nakamura [mailto:zeusda...@gmail.com] Sent: Wednesday, November 18, 2009 8:57 PM To: NANOG Subject: Password repository Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks.
Re: Password repository
Jay Nakamura (zeusdadog) writes: > Quick question, does anyone have software/combination of tools they > recommend on centrally store various passwords securely? Home built app with GELI (FreeBSD) encrypted disk image and automated versioning of documents/secure stuff wih a VCS. Works fine in a multi user context, but only one user can access it at a time.
Re: Password repository
On 19/11/09 15:34 +0900, Randy Bush wrote: Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? ascii text file, gpg encrypted, only opened with emacs crypt++.el From the network administrator perspective, we prefer to use a 3rd party/central authentication system where feasible, to reduce the number of passwords entries in our network from Users*Systems to Users*Security_Domains, and keep a gpg encrypted file (and a physical copy) in a safe location of rarely used admin/root passwords that we only need in an emergency (e.g. when RADIUS goes down). -- Dan White
Re: Password repository
> Quick question, does anyone have software/combination of tools they > recommend on centrally store various passwords securely? ascii text file, gpg encrypted, only opened with emacs crypt++.el randy
RE: Password repository
http://keepass.info Works great in a multi-user environment. -Original Message- From: Jay Nakamura [mailto:zeusda...@gmail.com] Sent: Wednesday, November 18, 2009 19:57 To: NANOG Subject: Password repository Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks.
Re: Password repository
Pwman On 11/18/09, Jay Nakamura wrote: > Quick question, does anyone have software/combination of tools they > recommend on centrally store various passwords securely? > > Thanks. > > -- Sent from my mobile device -- Darren Bolding -- -- dar...@bolding.org --
Re: Password repository
On a small scale, PasswordSafe from Sourceforge. On Wed, Nov 18, 2009 at 10:56 PM, Jay Nakamura wrote: > Quick question, does anyone have software/combination of tools they > recommend on centrally store various passwords securely? > > Thanks. > > -- -- David Storandt CTO TelJet Longhaul LLC 802-922-9503 (new DID) 802-264-3003 (fax) dstora...@teljet.com
Password repository
Quick question, does anyone have software/combination of tools they recommend on centrally store various passwords securely? Thanks.