[Beowulf] One time passwords and two factor authentication for a HPC setup (might be offtopic? )

Rahul Nabar rpnabar at gmail.com
Mon Oct 12 11:43:58 PDT 2009

Thanks for the comments Jim and John!

On Mon, Oct 12, 2009 at 1:00 PM, Lux, Jim (337C)
<james.p.lux at jpl.nasa.gov> wrote:

> This is what going with RSA buys you.. They have basically turnkey solutions
> for every operating system known.

>   Yes, you're beholden to a proprietary
> solution, but think of it like being beholden to Intel or AMD.  Any
> "authentication" mechanism should use standard interfaces, so if you decide
> to go to some other authentication scheme, it's transparent.

True. But I get the feeling that so far as my needs are "linux logins"
*only*, is the whole project so complicated to merit a "turnkey"
solution? All one needs is a random number generator synced to a very
accurate clock isn't it? I can understand using RSA type solutions for
a full security initiative; but here is just one standalone server
needing OTPs.

Or am I oversimplyfying the situation. Maybe there are hidden things
to be taken care of that aren't obvious to me. I'm not saying "I can
hack this myself" but am curious how come an open source project
hasn't come along.....OTOH maybe it is such a specialized need still
that not enough developers feel the need to put their time into it.

> I use a SecureID token every day at work.. It's not a big pain for me, BUT,
> there are really lame implementations of the basic concept that I've heard
> about, particularly ones that require physical connection to the key
> (usually using a Chip&PIN style access card and a reader)

Yess! For sure. I used to work in a corporate stup where this was a
nightmare. Some "smart" sys admin had decided to use the same magnetic
ID for door-access, photoID, and computer OTP authentication. You
needed the ID-card inserted  into a reader connected via USB to the
computer. The moment you pulled the card out the computer logged off.
Result was that each time you went for a coffee or a restroom break
you had a logged out machine.

Now there might be some who may say that's the point but I just think
it was a pain.

> I've also not ever lost my key.. Lose that key and work comes to a grinding
> halt until you get a new one, so make sure you have the needed support
> infrastructure in place to accommodate your particular availability needs.

Aren't there overrides? Let's say PersonA loses his card. Can't I set
the system to accept just a plain-old-PW for the 4 days till he gets a
new hardware key?

> Also, one big advantage is that you can, if you make it part of an overall
> security infrastructure, do away with the need to remember eighty bazillion
> different passwords,

I just have a standalone HPC server I admin.

> It's the "I've got a copy of passwd and I'm taking it to my lair under the
> volcano to process it on my 2048 node beowulf cluster of FPGAs programmed to
> crack 3DES" thing that you have to guard against (by other means).

Now that, I have no idea how to prevent? "other means"? Short of, I/P
based blocking I have no clue how I could outwit a foe of such
resources and talent.


More information about the Beowulf mailing list