[Beowulf] One time password generators...

Kilian CAVALOTTI kilian.cavalotti.work at gmail.com
Tue Mar 31 03:16:16 PDT 2009


On Tuesday 24 March 2009 23:25:57 Robert G. Brown wrote:
> There are a couple of possible exceptions to pursue in addition to the
> e.g. RSA-like solutions with their enormous cost, but I thought I'd
> throw it out to the group here too.  Is there a straightforward low-cost
> way to generate OTP's without ten thousand dollar server software
> packages?

When administering a previous cluster, I had to setup this kind of secure 
access for users. Management had a high sense of systems security, and 
absolutely rebuffed the idea of seeing their multi-million dollar cluster 
pwned and transformed into a spam sending workhorse. So users *had* to 
authenticate using one time passwords.

To do so, users where provided a web-based OTP generator (through an SSL 
connection, identification being taken care of by a campus wide authentication 
mechanism). With this OTP, they could authenticate to a firewall running 
authpf [1]. After successful authentication, and for as long as they kept 
their authpf session open, they could then log on to the cluster frontends, 
using regular SSH authentication, delegated to campus Kerberos servers.

MITM attacks (from the network) were somewhat mitigated by the OTP usage, but 
the whole chain security was relying on the campus authentication mechanism, 
which was, well, secure.

It was far from a perfectly flawless and secure setup, but at least, access to 
the cluster was only allowed at the firewall level to currently authenticated 
users. Access was denied as soon as the firewall connection was closed. Authpf 
is a really useful piece of software.

[1] http://www.openbsd.org/faq/pf/authpf.html

Cheers,
-- 
Kilian



More information about the Beowulf mailing list