On Tuesday 24 March 2009 23:25:57 Robert G. Brown wrote: > There are a couple of possible exceptions to pursue in addition to the > e.g. RSA-like solutions with their enormous cost, but I thought I'd > throw it out to the group here too. Is there a straightforward low-cost > way to generate OTP's without ten thousand dollar server software > packages?
When administering a previous cluster, I had to setup this kind of secure access for users. Management had a high sense of systems security, and absolutely rebuffed the idea of seeing their multi-million dollar cluster pwned and transformed into a spam sending workhorse. So users *had* to authenticate using one time passwords. To do so, users where provided a web-based OTP generator (through an SSL connection, identification being taken care of by a campus wide authentication mechanism). With this OTP, they could authenticate to a firewall running authpf [1]. After successful authentication, and for as long as they kept their authpf session open, they could then log on to the cluster frontends, using regular SSH authentication, delegated to campus Kerberos servers. MITM attacks (from the network) were somewhat mitigated by the OTP usage, but the whole chain security was relying on the campus authentication mechanism, which was, well, secure. It was far from a perfectly flawless and secure setup, but at least, access to the cluster was only allowed at the firewall level to currently authenticated users. Access was denied as soon as the firewall connection was closed. Authpf is a really useful piece of software. [1] http://www.openbsd.org/faq/pf/authpf.html Cheers, -- Kilian _______________________________________________ Beowulf mailing list, [email protected] To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
