"Password validation services" -- how can we avoid creating more of them?

Thu Dec 28 23:37:11 PST 2006

> There are two steps to Kerberos authentication: authenticating to the
> Kerberos server, and authenticating to a 'Kerberized' service -- a
> service that trusts the Kerberos server for authentication. When you
> authenticate to the Kerberos server, you have a lot of choices -- x509
> certificates (University of Michigan has done this, I believe),

True, I went to U of M. I've also been on the admin side of things and
figured out how to hack kerberos logins. It's not perfect, just mostly
dumb/bot proof.

> > Is there some way to usee 2-factor authentication mechanisms for *all*
> > remote access?  Not just SSH; that works fine:  what about HTTPS?
> > IMAPS?  Any others?

Yes, one is easy tunneling via something like hamachi. Make all your
trusted networks appear like a lan.
You can do port knocking. The default setup of a particular knock over
and over isn't as effective as someone could "listen" and "replay"
your knocks. Sync generated knocks on both sides, or one time knocks
would be better. A long list of shuffled knocks might work too.
Another method is some simple logic scripting that wraps your sshd
connections. Treat them as email spam, block lets say 3 repeated
failure attempts, or better yet, let it keep trying on a harmless
loop, so it keeps the bot occupied like a tar pit. Makes brute force
much harder. Lots of other clever things out there. I'm sure google
knows, even yahoo.
A fun one can be that you recompile your fav auth mechanism with some
special "foo" that will break any "normal" connection attempt, except
your "foo" type connection.

Splunk logs and see whats going on. Adjust accordingly.

On another note, by now most of us probably have at least one RSA like
FOB, those should be reusable for as long as the battery lasts. Any
tools out there to make them work with readily available auth systems?

-- Rob
-- Rob