[Noisebridge-discuss] Two factor auth, not SecureID
Dr. Jesus
j at hug.gs
Thu Oct 15 22:17:28 UTC 2009
On Thu, Oct 15, 2009 at 2:45 PM, Matt Peterson <matt at peterson.org> wrote:
> (Since we have an abundant number of sysadmin/neteng/security folks
> here, I though I'd post my question here - apologies if this is off
> topic)
>
> I've been asked to setup a two-factor authorization system (not for
> the space ;), traditionally most folks go with RSA SecureID. I'm
> shying away for this based on horrid outsourced tech support, crufty
> Java code (their error reporting leaves much to be desired) and above
> market pricing.
>
> It looks like the recent CryptoCard "Blackshield" product is quite
> nice - modern code <http://thesecondfactor.blogspot.com/2008/10/tools-of-development.html
> >, runs under VMware <http://blackshield.cryptocard.com/index.php/bsid-products/bsid-overview/blackshield-new-25
> > (ironically all these systems seem to prefer running under
> Windows), and supports the OATH standard (in theory allowing for using
> any standards following hardware or software token).
>
> My particular application is AAA against OpenSSH & Apache. It looks
> like OpenLDAP can wired into this setup too, which would be great
> too. My query is to see which system/tokens folks prefer in a Linux
> environment, cost structure and support. Thanks.
http://www.phonefactor.com/
The Windows-based agent has RADIUS support. Point PAM at the RADIUS
gateway and you're good to go. You can also write your own PAM module
using their web SDK and avoid Windows entirely.
The one big differentiator that phonefactor has is that it's
tokenless, so all the usual token management hassles simply go away
with their product. The mobile phones that are usually used as the
"tokens" also often have some kind of location tracking these days,
which enables features like reliable geofencing in a custom
deployment.
More information about the Noisebridge-discuss
mailing list