David, I can tell you that the CyberSafe commercially available Kerberos products support using SecurID to get the initial TGT. This is not an open source solution so you would have to pay for our products to use this functionality.
I also need to advise you that to support the pre-authentication for SecurID the KDC, and also the clients need SecurID support - e.g. it is not something you can just add to the KDC only. If you are interested to find out more about our products please let me know. Take care, Tim Alsop CyberSafe Limited -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Bishop Sent: 25 May 2007 18:11 To: kerberos@mit.edu Subject: kerberos + securid (hpcmp) Good morning! I work at a largish retail company, who is being affected by the PCI-DSS. One of the changes we are making is implementing one-time passwords to access any of our production machines (use RSA SecurIDs). We have that working using the standard PAM module, but are already annoyed at having to enter a PIN everytime we get on any machine (something that we do tens of times per day). Our first thought was to have a couple of "gateway" machines, that you have to use a securid to log into, then allow sshkeys[1] from there to the other machines - while still allowing "direct" access to the machines using RSA. However, there is no way to change the order of authentication in sshd, server-side (to do the PAM-checks of IP, then determine whether to use RSA or sshkeys), and client-side isn't good enough (for obvious reasons). That is a long-winded way of saying that we are seriously considering using kerberos. However, we would still need to use RSA SecurID for the initial authentication, to get the TGT. The only thing I can find after googling for a while is that I (apparently) need to use the HPCMP flavor of kerberos to have that functionality, but *nowhere* can I find a link to the source code, in order to build our own kdc, or the various Solaris and Linux clients (as we aren't using Solaris8 or debian/SuSE - the only binary clients I could readily find). My question is: am I the worst googler ever? Is, perchance, securid support built into the latest krb5 release, and I just can't find documentation on it? Am I just SOL? Is there a different way to accomplish what we desire (that isn't kludgy, like running multiple sshd instances)? Many, many thanks for those of you who read this far. Have a great day! David [1] using ssh-agent, of course ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
