[reviving a really old thread - sorry] "Perry E. Metzger" <[EMAIL PROTECTED]> writes:
> "Robert G. Brown" <[EMAIL PROTECTED]> writes: >>> If they can't use public key auth, give 'em secure ids or something >>> similar. Works fine or such purposes. Passwords are dead. >> >> Yeah, Bill Gates (among others) said something like that back in 2004. >> I confess to being deeply skeptical. Really. The SecureID solution has >> been around for a long time at this point. It was a PITA a decade ago. >> It is a PITA now. Expensive, too. > > It is neither. I use SecureIDs quite regularly and it isn't difficult > at all -- you just look at the device and type in the digits. What's > so hard about that? It isn't that expensive, either, but if you're > minimizing cost there are cheaper competitors and various > challenge-response devices, and even non-hardware solutions. The tokens are pretty expensive, they break, they get lost, they go out of clock sync, they run out of battery and need to be replaced. The support costs are non-negligible. [the rest of this post is a general comment, not necessarily directed at Perry] That said, there are interesting stuff like the YubiKey (http://www.yubico.com/), which is a USB token pretending to be a keyboard. Press a button on it, and it "types" a one-time password. Downside: it uses symmetric crypto, which essentially means you have a shared secret between the token and the auth server. This makes the auth server a fat, juicy target, and if it ever is cracked, you need to replace all your tokens. There are also systems that send out one-time passwords via SMS to the user's cellphone. Rather neat, but you do need to pay for those SMS:es. Soft tokens, like file based client-side certs and private ssh keys, are not necessarily a *huge* improvement over simple passwords. You do become immune against the password-guessing attacks, but private keys can be stolen. We see this happening. And when a private ssh key is stolen, it is a major headache to find all authorized_keys files that contain the corresponding public key. Ssh keys *can* improve your security - encrypt the private key with a good strong passphrase, make sure it never leaves your laptop, and (carefully) use ssh-agent and agent forwarding for your authentication needs. (And add your keys with "ssh-add -c".) However, in practice, this tends to be too complicated for the average user. For a reality check, run grep -L CRYPT /home/*/.ssh/id_{r,d}sa to check how many users that have unencrypted private keys stored on your system. -- Leif Nixon - Systems expert ------------------------------------------------------------ National Supercomputer Centre - Linkoping University ------------------------------------------------------------ _______________________________________________ Beowulf mailing list, Beowulf@beowulf.org To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
