[Beowulf] One time passwords and two factor authentication for a HPC setup (might be offtopic? )

Mon Oct 12 14:56:47 PDT 2009

Rahul Nabar wrote:
> [I apologize if this might be somewhat offtopic for HPC;it could be
> termed a generic Linux logon problem but I couldn't find many leads in
> my typical linux.misc group.]

How to secure a valuable network resource like a cluster sounds on topic to me.

> I've used RSA type cards in the past for accessing larger
> supercomputing environments and they seem fairly secure but I suspect

Seemed kinda silly to me.  My minimum level for security is something like ssh
with certs.  So various attacks don't work, things like spoofing dns, network
sniffing, and man in the middle attacks don't work (assuming users with a clue).

> that kind of setup is too large (expensive, proprietary, complicated)
> for us. Are there any good open source alternatives? The actual
> time-seeded random-number generation key fobs seem pretty cheap (less
> than $20 a piece e.g. http://www.yubico.com/products/yubikey/ ). So
> the hardware is OK  but I still need the backend software to tie it in
> to /etc/passwd or PAM or some such mechanism. The software I found was
> either Win-based or catered to apache or email etc. I did find VASCO
> and CryptoCard but am not sure they are the right fit.

Sounds reasonable, so sure you get a one time password, the hard part is
making sure nobody sees that password except the intended recipient.  So if
you buy the yubikey then what?  Pam module?  ssh client hack?  Some webified
openid setup?

Apparently there's even yubikey emulators out there, I can't see any other way
to let someone login from a smart phone (that lacks a powered usb port).

> I looked around at open source but couldn't find much. Are other
> sys-admins using some form of OTP. What options do I have?
> 
> Of course, I know that OTP and two-factor is not some magic bullet
> that makes my  security watertight; but I still think its more secure
> than static user passwords.

I'd agree there, but more secure than ssh with a valid known host (knowing the
key of the server you are logging into) and a certificate... not so sure.

Ideally an auth mechanism would handle:
* man in the middle (via attacker upstream, or via dns spoofing).
* sniffing
* compromised client desktop
* brute force

The one approach I've been considering is a smart phone with an out of band
connection (wifi or cellular).  The server knows a public key associated with
a user's smart phone.  The user's smartphone knows the public key associated
with the server.  When you go to login a challenge is sent to your smart phone
(encrypted in it's public key), a cute dialog pops on the cell phone asking
the user if they accept the connection, and the response is sent to the server
(encrypted in it's public key).

It would be single factor authentication (something you have), but much better
than an average password which doesn't have much entropy and with which you
have to trust the local client.  Well that's based on the idea that a smart
phone is much less likely to get hacked then the average desktop.