hardware one-time schemes and sources

hardware one-time schemes and sources

Post by Paul Holbro » Sat, 09 Apr 1994 10:53:16



There are a number of vendors out there who sell hardware devices to
implement one-time passwords schemes - SecureID, Enigma, etc.  

When I last looked seriously at this - more than four years ago now --
one of the problems with these schemes is that you couldn't integrate
them very well with things like SunOS.  I'm sure they all support
SunOS 4.* now, but here's the question: how open are these vendors at
supplying code so you can use the devices into other software?  For
example, if you wanted to hack wuftpd or /bin/su or anything to use a
SecureID device (or anyone else's), could you do it?

Different but related question to those who have these scheme and use
them -- how easy (or hard) were they to integrate into your local UNIX
environment?

--
J. Paul Holbrook
CICNet Network Services Manager

 
 
 

hardware one-time schemes and sources

Post by Bob Bos » Sun, 10 Apr 1994 08:31:40


: There are a number of vendors out there who sell hardware devices to
: implement one-time passwords schemes - SecureID, Enigma, etc.  

: When I last looked seriously at this - more than four years ago now --
: one of the problems with these schemes is that you couldn't integrate
: them very well with things like SunOS.  I'm sure they all support
: SunOS 4.* now, but here's the question: how open are these vendors at
: supplying code so you can use the devices into other software?  For
: example, if you wanted to hack wuftpd or /bin/su or anything to use a
: SecureID device (or anyone else's), could you do it?

Enigma Logic publishes our API and makes the source code available
to everybody that purchases any of our products. It's been stable
for nearly 7 years now. If you send your slowmail address to me I
will arrange to have a printed copy of our API Guide Book sent to
you, including source code.

: Different but related question to those who have these scheme and use
: them -- how easy (or hard) were they to integrate into your local UNIX
: environment?

It was pretty easy for me to hack our API into code supporting
RFC 1492 to create "SafeWord for Cisco". Coupla days work....

: --
: J. Paul Holbrook
: CICNet Network Services Manager

I hope this helps.

--

Bob Bosen
Enigma Logic Inc.
2151 Salvio St. #301
Concord, CA   94520
USA

Tel: +1 510 827-5707

**************************************************************************
* "It wasn't me!!! Somebody must have captured my username/password!!!"  *
**************************************************************************

 
 
 

hardware one-time schemes and sources

Post by Charles Hedri » Sun, 10 Apr 1994 11:43:19



>When I last looked seriously at this - more than four years ago now --
>one of the problems with these schemes is that you couldn't integrate
>them very well with things like SunOS.  I'm sure they all support
>SunOS 4.* now, but here's the question: how open are these vendors at
>supplying code so you can use the devices into other software?

I've used the Enigma software under Unix and seen the documentation
for SecureID.  (We use it, but not under Unix.)  Both supply
subroutines that you can call to check a user.  Under SunOS and
Solaris, the simplest way to integrate it would be to replace the
crypt routine in libc.  Sun supplies a .a file with all the routines
in libc.so.  So you can replace one of them and rebuild libc.so.  The
only problem is that crypt takes as arguments the "salt" and the
password that the user typed.  What you need for Enigma and SecurID is
the username and the password.  The simplest hack I can think of is to
do what Sun does with C2: In the encrypted password field put
##username.  Then your crypt replacement will have access to the
pusername and password, which is all you need.  (In fact the field
needn't be the actual username.  It's whatever key you want to use for
that user in the card database.  I'd assume that would be the username
in most cases, but it need not be.  It's probably best to use Kerberos
terminology and refer to it as the "principal name" associated with
that user.)

This kind of thing is only feasible on OS's where you can hack libc.
I'd be willing to bet that I could come up with some kludge that would
work on most systems with a sharable libc, but I don't know any other
system as well as I know SunOS.

If you can't hack libc, there are a few other options:

  - replace login, ftpd, and any other software that has to process
        passwords.  You don't really need to change the code --
        just link it with your replacement crypt.

  - use a program that validates the password and then
        runs your shell.  Put it in /etc/passwd as your shell.
        Enigma supplies such a program, and I think SecurID does
        as well.  However this only protects login.  Now you've
        got to worry about ftp, etc.  If your system uses /etc/shells,
        ftp will be disabled for anyone that uses this, which
        is what you want if you haven't fixed ftpd.

  - Sun supplies "pluggable authentication modules" for Solaris 2.3.
        This is a uniform interface for authentication that
        eventually will be used by all of their software.  They
        supply a sharable library that implements normal Unix
        passwords.  You just replace this with a sharable library
        that calls the routines supplied by your vendor.  Unfortunately
        the API isn't documented yet, but I assume it will be.
        This seems to be the best solution.  You might lean on your
        Unix vendor to do something like this.

 
 
 

hardware one-time schemes and sources

Post by Barry Margol » Wed, 13 Apr 1994 08:23:30



>There are a number of vendors out there who sell hardware devices to
>implement one-time passwords schemes - SecureID, Enigma, etc.  

>When I last looked seriously at this - more than four years ago now --
>one of the problems with these schemes is that you couldn't integrate
>them very well with things like SunOS.  I'm sure they all support
>SunOS 4.* now, but here's the question: how open are these vendors at
>supplying code so you can use the devices into other software?  For
>example, if you wanted to hack wuftpd or /bin/su or anything to use a
>SecureID device (or anyone else's), could you do it?

My understanding from the marketing brochures is that they generally
provide an API to their system.  You're right that this wasn't true several
years ago.

Quote:>Different but related question to those who have these scheme and use
>them -- how easy (or hard) were they to integrate into your local UNIX
>environment?

When we got SecurID several years ago they didn't have a SunOS
implementation at all, so we got the hardware version (intended to be
installed between your modems and serial ports).  Since we wanted to
authenticate FTP and TELNET sessions as well as dialups, we made our own
modifications to login.  Our software queries the user, and then opens a
tty to the device, emulates a user responding to the query, and reads back
the response to see whether it succeeded or failed.

One of these days we'll replace this with the software version....
--
Barry Margolin
System Manager, Thinking Machines Corp.


 
 
 

1. Hardware for one-time password

Hello, thanks for reading, I'm looking for hardware to implement
one-time password using the TIS firewall toolkit.  We could use
the S/Key package but we would like to take a look at commercial
packages too.  I would be greatful to anyone who could provide me
with informations on any of these products (comments are welcome
too).

Thank you very much.

Richard

--
Richard Turmel  UNIX System Administrator       Softimage Inc.
                                                3510 St-Laurent

Tel: (514) 845-1636 x372                        Montreal, Quebec
Fax: (514) 845-5676                             H2X 2V2

2. Terminal Emulation

3. Sources of one-time password systems?

4. need Good Solaris book recomendations

5. copying tape of one it schemes to another one

6. knode new messages

7. Daylight Savings time, system time, hardware time....

8. Pre Planning Help

9. Hardware setting - first time linux user

10. Pmw color scheme and K-desktop environment color scheme....

11. Fitting the Sun's package scheme with Perl's module scheme?

12. Matrox Mystique ands X.

13. Detecting hardware at the boot time/Install time