>>> You might want to look at S/Key - I used it many moons ago for >>> incoming >> access to my own workstation over clear links (think: before SSH :-), >> and it worked well enough, but the 'token' is a list of the next 'n' >> passwords. If you were to combine this with a 'password wallet' >> encryption package on whatever device the individual has, you get a >> poor-man's Safeword token. >> >> > Or Opie, which had a good Usenix paper many years ago. Though S/Key > seems to be actively supported in Linux, still. > http://www.google.com/url?sa=t&source=web&ct=res&cd=2&url=http%3A%2F%2Fchacs.nrl.navy.mil%2Fpublications%2FCHACS%2F1995%2F1995mcdonald-USENIX.pdf&ei=VasQSqSIFdTgtgeHu735Bw&rct=j&q=onetime+passwords+in+everything&usg=AFQjCNHqhIiV6z3Z2jJafggmBdaCiLK6YQ
I've found a few instances of S/KEY & OTP systems libraries. It's actually in line w/ what I was thinking, and I'd heard of S/KEY before. I wasn't sure if there was anything else out there, but this might be the right level of protection. However, there's a insecurity <http://www.linuxdevcenter.com/pub/a/linux/2001/11/26/insecurities.html > from running S/KEY on your openssh servers- it allows attackers to determine what is a valid account, and some info as to the frequency of login. I'm not sure I actually care, in the case of the likely 8 users, as long as it doesn't let the bad people *in*. What do other folks think? We're moving away from Cryptocards, which worked just fine, but are annoying to have to carry for the rare occasions that we aren't on whitelisted IP's, and trying to do work. (This really only happens on unexpected issues, and evdo connections, for oncall, off hours work, or where some major emergency prompts people that do not have their laptops, etc, to need to login.) 2 Factor was required by our PCI team, and as we've gotten rid of PCI issues, we'd like to be able to avoid the little fobs :-) They no longer scream IMPORTANT person, but are now just whispering annoy nothings in our pockets... There are a few nifty things a quick google& wikipedia came up with: The nice quick description of S/KEY from wikipedia: <http://en.wikipedia.org/wiki/S/KEY > a Javascript OTP generator: <http://www.ocf.berkeley.edu/~jjlin/ jsotp/> an iphone app: <http://www.rho.cc/1Key> other Java app for phones: <http://tanso.net/j2me-otp> The Javascript one was able to be used on the iphone, and with a quick line of code inserted, even looked decent there. I suspect it'll work on the BlackBerries, too. Matthew Matthew Barr [email protected] cell: 646-765-6878 _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
