Matthew Barr wrote: > I've found a few instances of S/KEY & OTP systems libraries. It's > actually in line w/ what I was thinking, and I'd heard of S/KEY > before. I wasn't sure if there was anything else out there, but this > might be the right level of protection. > > However, there's a insecurity > <http://www.linuxdevcenter.com/pub/a/linux/2001/11/26/insecurities.html> > from running S/KEY on your openssh servers- it allows attackers to > determine what is a valid account, and some info as to the frequency > of login. I'm not sure I actually care, in the case of the likely 8 > users, as long as it doesn't let the bad people *in*. What do other > folks think? > > > We're moving away from Cryptocards, which worked just fine, but are > annoying to have to carry for the rare occasions that we aren't on > whitelisted IP's, and trying to do work. (This really only happens on > unexpected issues, and evdo connections, for oncall, off hours work, > or where some major emergency prompts people that do not have their > laptops, etc, to need to login.) 2 Factor was required by our PCI > team, and as we've gotten rid of PCI issues, we'd like to be able to > avoid the little fobs :-) They no longer scream IMPORTANT person, but > are now just whispering annoy nothings in our pockets... > > > There are a few nifty things a quick google& wikipedia came up with: > The nice quick description of S/KEY from wikipedia: > <http://en.wikipedia.org/wiki/S/KEY> > a Javascript OTP generator: <http://www.ocf.berkeley.edu/~jjlin/jsotp/> > an iphone app: <http://www.rho.cc/1Key> > other Java app for phones: <http://tanso.net/j2me-otp> > > The Javascript one was able to be used on the iphone, and with a quick > line of code inserted, even looked decent there. I suspect it'll work > on the BlackBerries, too. > > Matthew > You're talking about *eight* people? This is a nobrainer - you can work with the seven others and use S/KEY. With that number of people you can even choose to use printed passwords, with the holders understanding that passwords are like *money* - or maybe like travelers cheques, where they really must report them if stolen. You could probably get away with single-factor passwords and reasonable password control, with that number of people - but S/KEY should be appropriate for anyone but the feds (or those holding the next lottery numbers :-).
- Richard _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
