[Beowulf] One time passwords and two factor authentication for a HPC setup (might be offtopic? )
Lux, Jim (337C)
james.p.lux at jpl.nasa.gov
Mon Oct 12 11:00:39 PDT 2009
On 10/12/09 10:05 AM, "Rahul Nabar" <rpnabar at gmail.com> wrote:
> In all the tiny clusters I've managed so far I've had primitive (I
> think) access control by strong [sic] passwords. How practical is it
> for a small HPC setup to think about rolling out a two-factor,
> one-time-password system?
> [I apologize if this might be somewhat offtopic for HPC;it could be
> termed a generic Linux logon problem but I couldn't find many leads in
> my typical linux.misc group.]
> I've used RSA type cards in the past for accessing larger
> supercomputing environments and they seem fairly secure but I suspect
> that kind of setup is too large (expensive, proprietary, complicated)
> for us.
Probably cheaper than you think. They're certainly used a lot. I checked
about a year ago, and I seem to recall it's about $50/user (for the token)
plus some annual fee of comparable magnitude for the server side.
Google "RSA SecurID Cost"
Are there any good open source alternatives? The actual
> time-seeded random-number generation key fobs seem pretty cheap (less
> than $20 a piece e.g. http://www.yubico.com/products/yubikey/ ). So
> the hardware is OK but I still need the backend software to tie it in
> to /etc/passwd or PAM or some such mechanism. The software I found was
> either Win-based or catered to apache or email etc. I did find VASCO
> and CryptoCard but am not sure they are the right fit.
This is what going with RSA buys you.. They have basically turnkey solutions
for every operating system known. Yes, you're beholden to a proprietary
solution, but think of it like being beholden to Intel or AMD. Any
"authentication" mechanism should use standard interfaces, so if you decide
to go to some other authentication scheme, it's transparent.
I use a SecureID token every day at work.. It's not a big pain for me, BUT,
there are really lame implementations of the basic concept that I've heard
about, particularly ones that require physical connection to the key
(usually using a Chip&PIN style access card and a reader)
I've also not ever lost my key.. Lose that key and work comes to a grinding
halt until you get a new one, so make sure you have the needed support
infrastructure in place to accommodate your particular availability needs.
Also, one big advantage is that you can, if you make it part of an overall
security infrastructure, do away with the need to remember eighty bazillion
different passwords, each with different expiration cycles and different
rules for including "strong" characters (the latter which I believe is aimed
at a threat that doesn't really dominate the risk spectrum any more..brute
force attacks on passwd files or something). These days it's compromise by
social engineering, or sniffing the wire, shoulder surfing kinds of things.
Modern schemes for simple passwords (try 3 times and get locked out for some
long time, etc.) pretty much defeat the brute force at the user interface
approach.. You can't get enough tries in a reasonable time to crack the
password, especially if you've got something that watches the logs and says
"hey, someone has tried 100 different times to get into account XYZ in the
last 24 hours!"
It's the "I've got a copy of passwd and I'm taking it to my lair under the
volcano to process it on my 2048 node beowulf cluster of FPGAs programmed to
crack 3DES" thing that you have to guard against (by other means).
More information about the Beowulf