Hi Jake,

While it is true that RSA, for some 15 years, used a NSA-certified
proprietary hash to generate the SecurID's one-time password, five years ago
RSA replaced the classic SecurID with an AES-based token, so your concern
about the proprietary hash is a little out of date.  To the best of my
knowledge (and I track this stuff), no one has ever claimed to have inverted
the old Brainard hash in the classic SecurID, but the AES SecurID token,
with a 128-bit secret, is state of the art, even DPA-resistant, and
available in a half-dozen form-factors. 

The RSA Authentication Manager includes a RADIUS server, and OpenBSD, of
course, has login_radius, BSD Auth, and OpenSSH. RSA, unfortunately, doesn't
officially support OpenBSD, and I don't know what might be available that
would be the equivalent of PAM modules under BSD Auth. There is probably
some experience available here with regard to critical applications, but if
not query other BSD forums or Kevin Kadow's unofficial SecurID Users' Forum
at:
http://tech.groups.yahoo.com/group/securid-users/

Check out Kadow's comment on another OpenBSD forum a few months ago at:
http://tinyurl.com/2murme
Also Tim Kornau's FreeRadius 1.1.0 port to OpenBSD
http://marc.info/?l=openbsd-ports&m=113827097610572&w=2

For SecurID basics, you might want to also check out:

RSA SecurID Options: http://www.rsa.com/node.aspx?id=1156
RSA Authentication Servers and Appliances: 
http://www.rsa.com/node.aspx?id=3049
SecurID-Ready VPNs:
http://www.rsa.com/rsasecured/results.asp?search=VPN&x=0&y=0
RSA's Platform Support Matrix (which describes RSA's PAM modules):
http://www.rsa.com/node.aspx?id=2573

If you are considering RSA SecurID and SSH, see:

OpenSSH: http://www.openssh.com/
OpenSSH support for SecurID: http://sweb.cz/v_t_m/
and The RSA SecurID-Ready Implementation Guide for SSH:
http://www.rsa.com/rsasecured/guides/imp_pdfs/ssh_secure_shell_ace5.pdf

I'm a consultant to RSA, but this isn't my turf. Hope this is helpful.

Suerte,
        _Vin

------------ in reference to ---------


Jacob Yocom-Piatt-2 wrote:
quoted text
> 
> would like to lock "random" users out of the services that are hosted on 
> machines here and remember LLNL, etc, using a RSA secureID to effect 
> this back in the day: you had to enter your secureID string before being 
> able to ssh into your user account through the firewall. i am aware that 
> the secureID uses a closed-source algorithm to generate its codes and is 
> thus, IMO, not a desirable solution. the goal is to allow only users 
> with (1) a hardware token and (2) the correct passwords to access 
> services (IMAPS, etc) on openbsd machines.
> 
> a list of OTPs would be sufficient if i didn't think i'd end up 
> regularly issuing new lists to users. if there is any "good" solution of 
> the sort i describe above, i would appreciate pointers from more 
> knowledgeable folks.
> 
> cheers,
> jake
> 
> -- 
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/seeking-hardware-token-recommendations-tf4960311.html#a14218241
Sent from the openbsd user - misc mailing list archive at Nabble.com.