More auth options

Stephen John Smoogen smooge at gmail.com
Mon Mar 30 18:21:07 UTC 2009


On Mon, Mar 30, 2009 at 11:57 AM, Dennis Gilmore <dennis at ausil.us> wrote:
> So doing a liitle looking around I cane across some options that look
> interesting,  the following options would mean you need to physically have
> something to login.
>
> yubikey
> http://www.yubico.com/products/yubikey/
> It would require a pam module and for us to setup a server for managing keys.
> it looks to be fairly low cost.   it would implement a 2 facter
> authentication.
>
> etoken
> http://www.aladdin.com/etoken/devices/pro-usb.aspx
>

These do look interesting and maybe better than the S/Key 64 bit key.
I remember some bad stories about one of the 'Aladdin' companies
(there are quite a few who use that name for security products).. but
not sure which.

The bigger question is who can we get some 'professional' opinions
from? My crypto math is not good so I could not give an opinion of
whether one usage of AES-128 versus another usage was equivalent,
better, or worse. I would hate for us to end up with any solution that
would end up on Shneier's Snake Oil pages. [I remember one token
device that some people I know evaluated a while back that while it
stored the key encrypted in AES-128 etc.. it had a register where it
stored the unencrypted user token and could be looked at under any OS
other than Windows.]



-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"




More information about the infrastructure mailing list