One thing I didn't see mentioned is public key certificates. Jacob's need to control access in a granular fashion might be solvable through the use of client certificates and SSL, rather than one-time passwords?
Overall Vin makes good points, and includes useful links, so I won't re-write my screed's from other sites and mailing lists. There is one warning I must repeat -- You might be tempted to use X9.9 (The 'x99token' application in OpenBSD). Please do not use this algorithm for security, there were fatal flaws in the X9.9 authentication standard, ANSI X9.9-1994 MAC was withdrawn in 1999 (http://www.x9.org/standards/free/). On Dec 6, 2007 11:02 PM, Jacob Yocom-Piatt <[EMAIL PROTECTED]> wrote: > i am aware that the securID uses a closed-source algorithm > to generate its codes and is thus, IMO, not a desirable solution. SecurID, like other modern hardware tokens, uses both well-vetted crypto (AES) and also a 'secret sauce' to generate one time passcodes (OTP). This generally means that their centralized server and software tokens are inherently only available as binaries for a very limited number of platforms, usually PC Windows, Sparc Solaris, and perhaps one Linux platform. There might be one vendor with FreeBSD support somewhere out there... Simple hardware tokens, while requiring one additional (non-OpenBSD) authentication server in your data center, do provide the best balance of security and usability. They're also expensive, though many vendors (including Safeword and SecurID) are offering lower-priced "appliance" models for sites with just a few dozen users. > the goal is to allow only users with > (1) a hardware token and > (2) the correct passwords to access services (IMAPS, etc) on openbsd machines. I am not aware of any hardware tokens where the "authentication server" is supported on OpenBSD, much less any open source OTP vendor offering hardware tokens. But all the current players support RADIUS protocol, and the various vendors are working together on a new open authentication network protocol, OATH (http://www.openauthentication.org/). It'd be cool to have a small calculator to generate RMD-160 OPIE responses, but I don't know of anything approaching the price point of SecurID, Safeword, Vasco, CRYPTOCard , etc. > a list of OTPs would be sufficient if i didn't think i'd end up > regularly issuing new lists to users. if there is any "good" solution of > the sort i describe above, i would appreciate pointers from more > knowledgeable folks. The built-in S/Key (OPIE?) implementation in OpenBSD is good. You will need to either give users access to and training on using 'skeyinit', or you will need to regularly issue new response 'cheat sheets' to users. Kevin
