[Beowulf] One time password generators...
Kilian CAVALOTTI
kilian.cavalotti.work at gmail.com
Tue Mar 31 03:16:16 PDT 2009
On Tuesday 24 March 2009 23:25:57 Robert G. Brown wrote:
> There are a couple of possible exceptions to pursue in addition to the
> e.g. RSA-like solutions with their enormous cost, but I thought I'd
> throw it out to the group here too. Is there a straightforward low-cost
> way to generate OTP's without ten thousand dollar server software
> packages?
When administering a previous cluster, I had to setup this kind of secure
access for users. Management had a high sense of systems security, and
absolutely rebuffed the idea of seeing their multi-million dollar cluster
pwned and transformed into a spam sending workhorse. So users *had* to
authenticate using one time passwords.
To do so, users where provided a web-based OTP generator (through an SSL
connection, identification being taken care of by a campus wide authentication
mechanism). With this OTP, they could authenticate to a firewall running
authpf [1]. After successful authentication, and for as long as they kept
their authpf session open, they could then log on to the cluster frontends,
using regular SSH authentication, delegated to campus Kerberos servers.
MITM attacks (from the network) were somewhat mitigated by the OTP usage, but
the whole chain security was relying on the campus authentication mechanism,
which was, well, secure.
It was far from a perfectly flawless and secure setup, but at least, access to
the cluster was only allowed at the firewall level to currently authenticated
users. Access was denied as soon as the firewall connection was closed. Authpf
is a really useful piece of software.
[1] http://www.openbsd.org/faq/pf/authpf.html
Cheers,
--
Kilian
More information about the Beowulf
mailing list