Hot Diggety! Matthew Barr was rumored to have written: >> Hmm, that might work for a small scale setup or where users relatively >> infrequently login to bastions. >> >> Less so when you're talking hundreds to thousands of hosts, or where >> frequent logins are a part of the daily experience -- perhaps due to >> side effects of various organizational policies? > > Question:: Why are you logging into that many hosts? We have hundreds
It's not me. ;-) It's the actual end users; almost every single one aren't admins. There's multiple tiers of bastions depending on various factors and needs (legal, policy, workflow, etc). > of systems, but I login to very few of them. Typically we login to an > Admin host, which we can then jump to the other hosts, and have Yep, my team has our own admin bastions. screen + a bunch of two-factor xterms + keychain/ssh keys + locked screensavers + good passwords + periodic password expirations on the originating systems goes a long way in making it usable, assuming one has a secure environment where the originating machine is. > What do people think of SSH with SSH keys *only* ? Is it strong > enough to be a non-IP locked system? It's pretty good. I would still want to lock to specific IPs or subnets as part of a belts-and-suspenders approach, but if I could only do solely ssh keys for logins, I could probably live with it without sleepless nights. > Also: does anyone have any decent suggestions for 2 factor systems that > are free? I'd prefer not to have to carry any kind of token. The group > has Blackberries, and iphones, + laptops, basically. I haven't looked at non-RSA two factor solutions lately, but a few years ago, I looked into all this for home use. RSA ACE (SecurID) is the most well known and pretty good. But their pricing model, well... leaves some to be desired, even in the more well-heeled environments. ;-) And it's a pricing model I couldn't hope to afford unless I won El Gordo (in Spain). ;-) So, plan B was to look into cheaper two-factor auth solutions. I found a significantly cheaper fob-type of setup though the up-front expenditure was somewhere between $500-$1000 and came with some kind of dev kit? Not bad per se, but a little too steep for a single user with a couple of boxes. Still, if I'd really needed it that bad, I'd probably have had sprung for it. It required some integration work, but there were notes littered across the web for the finer points of it. There's other types where you can program a smartcard and use it to embed the necessary PKI components (and any other information as desired -- photos or whatever). That's cheaper, but the integration work was significantly larger (and somewhat incomplete in some areas). And you've got to ensure your end-to-end infrastructure is essentially bulletproof and can hold up its end of the bargain no matter what strange situations Murphy might throw at it. One of the key things to keep in mind is platform authentication subsystem compatibility. Easy enough to make a single platform work (one way or another) but making multiple platforms can get more interesting in a hurry. So, simplifying this... given the fact your team has mobile devices, are tech-savvy, and keeping costs (and integration time) down is a major driver, could consider something like S/KEY or OPIE -- use of one-time passwords. It's not the sexiest of things, but free and easy to integrate. The only real downside to this, IMO, would be having to enter long strings of random passwords (as well as looking up which number to use). Kind of scotches it for me when using it more than once or twice in a single day. But if coupled with other things (screen, password-protected screensavers, etc), could work out OK in practice. All this, of course, was researched a few years ago -- and pricing, level of difficulty in implementation, and technical options may have changed (in either direction) by now. -Dan _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
