Hi all, I need to develop a secure way for our staff/outside contractors to be able to securely connect (via SSH - rdesktop/vnc in the future) to our internal and customer systems. We do need heterogeneous client system support (BSD, Linux, Solaris, Windows, etc..?) with whatever solution is deployed.
The more time I have spent with this the more I believe that we need some sort of SSO (Single Sign On) solution (something that supports a hardware key token like RSA would be great). This is complicated by the perceived requirement to install software on our customer's systems to support this kind of integration. As a stop gap I have been thinking about creating a dedicated user account on a centralized server, creating SSH keys and pushing the public key out to the remote systems for passwordless logins. Internal users would connect to this system, sudo to the other account and then SSH (with the added feature of being able to execute script and log the session). The goal behind all of this of course is to provide secure connectivity to remote systems in such a way that passwords to the remote systems are not being disseminated to our internal users - so if a user's employment status changes we don't have to run through the crazy password change scramble. I pose this question to this list because of all places on the Internet I know OpenBSD users to be the most paranoid with security and simple/elegant solutions which is exactly what I need here. Am I over thinking this problem? What would you recommend. Thanks in advance, Max