PDA

Click to See Complete Forum and Search --> : One time password (OTP)

satimis
06-24-2006, 04:16 AM
Hi folks,

One time password (OTP) OR Tokenless Password to replace the hardware token.

I have been searching for OTP software on Sourceforge and Freshmeat, used to replace the hardware token. They brought me hundreds of software suggestion.

Any folk has previous experience on OTP? Please shed me some light. Pointers would be appreciated. TIA

B.R.
satimis
voidinit
06-24-2006, 05:11 AM
I designed/authored and am currently maintaining a one time password system for the company I work for (a large, subscription based online credit card processor).

I didn't find any ready made solutions suitable for regulating shell access with all the features we wanted. Actually, I didn't find any really usable open source solutions at all. So I wrote my own using SOAP & PAM backended by MySQL, and then wrote a simple perl XS module so our web developers could integrate the management console with our management software.

The system we are using requires a user to authenticate to a web application using client/server SSL authentication + HTTP password authentication to "activate" their account, and select one or more hosts they are granted acces to for login. The webpage then provides the user with a once-per-session or once-per-time-window password depending on account restrictions. The user then copies that password and uses it for shell access to whichever host the user has selected for login in the webapp. All SOAP communication is done with both client and server validation at the SSL level. Basically if the server isn't in the client CA and/or the client isn't in the server CA, then no SSL handshake can take place. The system also accounts for password failure based account lockout, time window based account lockout and user@host to user@host access mapping. Meaning that johna@somehost.company.com can ssh to johna@otherhost.company.com but johna@otherhost.company.com cannot ssh to johna@somehost.com, etc. One of the impressive things I think is the su access portion. Meaning, for instance, if I try to su on somehost.somecompany.com, and I'm allowed to su on that host, my su request is granted without the need for a password. If I'm not allowed to su on that host then my su request is denied without the option of entering a password. In effect, there is no static root password.

Anyway, the company I wrote this for is still, after 6 or more months, debating the benifit/risk of providing this software as open source. I've been deciding weather or not to rewrite the system in my own time as an open source solution, but I really haven't seen that much enthusiasm for it.