Hi Jake, While it is true that RSA, for some 15 years, used a NSA-certified proprietary hash to generate the SecurID's one-time password, five years ago RSA replaced the classic SecurID with an AES-based token, so your concern about the proprietary hash is a little out of date. To the best of my knowledge (and I track this stuff), no one has ever claimed to have inverted the old Brainard hash in the classic SecurID, but the AES SecurID token, with a 128-bit secret, is state of the art, even DPA-resistant, and available in a half-dozen form-factors.
The RSA Authentication Manager includes a RADIUS server, and OpenBSD, of course, has login_radius, BSD Auth, and OpenSSH. RSA, unfortunately, doesn't officially support OpenBSD, and I don't know what might be available that would be the equivalent of PAM modules under BSD Auth. There is probably some experience available here with regard to critical applications, but if not query other BSD forums or Kevin Kadow's unofficial SecurID Users' Forum at: http://tech.groups.yahoo.com/group/securid-users/ Check out Kadow's comment on another OpenBSD forum a few months ago at: http://tinyurl.com/2murme Also Tim Kornau's FreeRadius 1.1.0 port to OpenBSD http://marc.info/?l=openbsd-ports&m=113827097610572&w=2 For SecurID basics, you might want to also check out: RSA SecurID Options: http://www.rsa.com/node.aspx?id=1156 RSA Authentication Servers and Appliances: http://www.rsa.com/node.aspx?id=3049 SecurID-Ready VPNs: http://www.rsa.com/rsasecured/results.asp?search=VPN&x=0&y=0 RSA's Platform Support Matrix (which describes RSA's PAM modules): http://www.rsa.com/node.aspx?id=2573 If you are considering RSA SecurID and SSH, see: OpenSSH: http://www.openssh.com/ OpenSSH support for SecurID: http://sweb.cz/v_t_m/ and The RSA SecurID-Ready Implementation Guide for SSH: http://www.rsa.com/rsasecured/guides/imp_pdfs/ssh_secure_shell_ace5.pdf I'm a consultant to RSA, but this isn't my turf. Hope this is helpful. Suerte, _Vin ------------ in reference to --------- Jacob Yocom-Piatt-2 wrote: > > would like to lock "random" users out of the services that are hosted on > machines here and remember LLNL, etc, using a RSA secureID to effect > this back in the day: you had to enter your secureID string before being > able to ssh into your user account through the firewall. i am aware that > the secureID uses a closed-source algorithm to generate its codes and is > thus, IMO, not a desirable solution. the goal is to allow only users > with (1) a hardware token and (2) the correct passwords to access > services (IMAPS, etc) on openbsd machines. > > a list of OTPs would be sufficient if i didn't think i'd end up > regularly issuing new lists to users. if there is any "good" solution of > the sort i describe above, i would appreciate pointers from more > knowledgeable folks. > > cheers, > jake > > -- > > > -- View this message in context: http://www.nabble.com/seeking-hardware-token-recommendations-tf4960311.html#a14218241 Sent from the openbsd user - misc mailing list archive at Nabble.com.
