DOCSLIB.ORG

Deploying Low-Cost, Open-Source Multi-Factor Authentication at Scale

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Deploying Low-Cost, Open-Source Multi-Factor Authentication at Scale Securing HPC: Deploying Low-cost, Open-source Multi-factor Authentication at Scale Patrick Storm, Cyrus Proctor, Nathaniel Mendoza http://tinyurl.com/tacc-mfa-i2 October 17, 2017 What We’ve Done I Built an infrastructure to offer multi-factor authentication (MFA) to HPC users I Took open-source components that worked and built the rest I Six months to assess; 6 months to build; 1 year in production I Deployed across eight production HPC clusters with 10,000 active SSH accounts TACC MFA | October 17, 2017 | 2 | Storm, Proctor, Mendoza Why We’re Here I Orchestrating a transition to MFA is a challenging enterprise I Cost, licensing, user support, and infrastructure deployment decisions are critical I We’ve created and combined the tools to provide MFA at scale for pennies per user I Details of this low-cost, open-source infrastructure are presented as an information resource to those institutions interested in their own deployments TACC MFA | October 17, 2017 | 3 | Storm, Proctor, Mendoza Why We Did It I Extra layer of security which is beneficial for users and service provider I Most common security breaches are compromised accounts I Password reuse, or poor cyber “hygiene” I We see over 500,000 SSH brute-force attempts per day I Costs associated with security response and system downtime are rising I Widely adopted as good practice TACC MFA | October 17, 2017 | 4 | Storm, Proctor, Mendoza For Us, MFA Needed to… I Be cost effective I Provide increased levels of assurance I Enhance overall service reliability I Allow for opt-in support during transition I Continue to abide automated, non-interactive workloads I Function in such a way that security and usability are complimentary TACC MFA | October 17, 2017 | 5 | Storm, Proctor, Mendoza For Us, MFA Needed to… I Offer multiple, practical pathways for system entry I Support SSH, GSISSH, SCP, SFTP, and rsync I Allow for self-enrollment and disassociation I Be flexible enough to handle VPN, VNC, Windows RDP I Scale to multiple resources and operating systems I Integrate into existing HPC infrastructure TACC MFA | October 17, 2017 | 6 | Storm, Proctor, Mendoza Deploying an MFA Infrastructure: Summary Back End Components I Management via LinOTP I Communication via RADIUS User-facing Components I MFA device management via Liferay user portal I Device options via Feitian, Twilio, and Google I System entry services via PAM TACC MFA | October 17, 2017 | 7 | Storm, Proctor, Mendoza LinOTP I LinOTP leverages LDAP for its user database I Users are tied to pairings in local relational database I Secrets are encrypted I Web-based browser interaction via administrative console I View user pairings I Audit logs I Resynchronize tokens I Reset failed login counter TACC MFA | October 17, 2017 | 8 | Storm, Proctor, Mendoza Portal Integration Interactions with LinOTP API I Portlet within Liferay portal deployment I Initialize (or update) token I Generates an interstitial page for unpaired users I Assign token to user I Minimal negotiation with identity management back end to create information firewall I Remove token from user TACC MFA | October 17, 2017 | 9 | Storm, Proctor, Mendoza RADIUS I Secure protocol for handling authentication and accounting requests I Deployed to accept requests from front end authentication sources and broker the connection to LinOTP I Utilizes a plugin to query LinOTP API (HowTo) I Easy to maintain, debug, and scale TACC MFA | October 17, 2017 | 10 | Storm, Proctor, Mendoza Devices & Token Codes I Devices serve a six-digit, time-based one-time password (TOTP), i.e. a “device token code” I One-time password comprised of shared secret key and current time I Algorithm is Open Authentication (OATH) TOTP compliant I A device is initially paired via transaction with the LinOTP back end Current Device Pairing Offerings Include I Soft Token – free, open-source, in-house developed, smartphone-based application I SMS Token – text messaging services served to all common cellphone network providers I Hard Token – key fob with LCD screen TACC MFA | October 17, 2017 | 11 | Storm, Proctor, Mendoza Soft Tokens I In-house developed TACC apps are available in Apple iOS and Google Android app stores I Built upon/compatible with Google Authenticator I During pairing, QR Code generation with embedded secret key shown to user through secure web browser I After pairing, no network connection needed TACC MFA | October 17, 2017 | 12 | Storm, Proctor, Mendoza SMS Tokens I Messaging services mediated by Twilio Inc. I Price per US-based SMS on our back end is $0.0075 I Standard messaging rates may apply for the user I LinOTP provides built-in support I TACC monthly SMS cost on average: $200 Representative SMS This is an automated message from TACC. Your 2-factor code is 463025. TACC MFA | October 17, 2017 | 13 | Storm, Proctor, Mendoza Hard Tokens I Customized with TACC logo printed on front and back I Sourced in bulk from Feitian Technology Company (~$7 per fob) I Chose a six-digit token code with 30 second interval I Contains embedded secret key (40-digit alphanumeric SHA1) I Sold to users (base cost, shipping, admin) for $25 via University of Texas online store TACC MFA | October 17, 2017 | 14 | Storm, Proctor, Mendoza Training Tokens I Specifically designed for users who do not possess an individual account at the center I Mainly for activities at workshops, tutorials, conferences, and institutions I Helps expose users to HPC resources otherwise not available to them I LinOTP provides the capability to set a static, six-digit token code I Regenerated with each new training session TACC MFA | October 17, 2017 | 15 | Storm, Proctor, Mendoza Pluggable Authentication Modules (PAM) I Standardized API for system entry services I Prevalent throughout Linux, BSD, and Sun communities I SSH can be configured to hand off to PAM and await a yes/no response I We developed OpenMFA, a collection of three modules to check: I the success of SSH public key authentication I if an MFA exemption has been granted I if an MFA token code was successful TACC MFA | October 17, 2017 | 16 | Storm, Proctor, Mendoza OpenMFA Public Key Authentication Module I Allows for automated, non-interactive transactions I Crucial component for continuing to serve: I Gateways and portals I Community accounts I Batch transfer of files to remote storage systems I Determine if user utilized public key authentication successfully via SSH as first factor of authentication I Utilizes recent local secure system entry logs TACC MFA | October 17, 2017 | 17 | Storm, Proctor, Mendoza OpenMFA Exemption Control List Module I Grants or denies MFA exemptions I Matches against current date, username/group, and remote IP address I Extended PAM access module with automatic expiration date field I Policies kept in configuration file with powerful rule set MFA exemption control list fields permission : expiration date : users : origins e.g. + : 2019-12-31 : bob : 149.165.228.247 + : ALL : tictacc : ALL + : ALL : ALL : 192.168.12.0/24 - : ALL : ALL : ALL TACC MFA | October 17, 2017 | 18 | Storm, Proctor, Mendoza OpenMFA Token Code Module I Authentication via device token code challenge-responses with RADIUS I Queries LDAP entries to distinguish between possible authentication routes I Four “enforcement” modes of operation for opt-in MFA transitions: I Off: deactivated token module – back to single-factor authentication I Paired: only provide challenge-response when user has token device paired I Countdown: warn non-paired users; acknowledgement via return key press I Full: prompt for token code regardless of pairing status TACC MFA | October 17, 2017 | 19 | Storm, Proctor, Mendoza Typical PAM SSHD Service Configuration MFA Exemption Yes Public Key Granted? SSH Daemon Success? Handoff Yes No Yes No MFA Token Code Yes PAM Success Success? Password Return to Success? No SSH Daemon PAM Stack No PAM Authentication Entry Restart Error (Up to 2) I OpenMFA modules shown in blue, green, and red outlines TACC MFA | October 17, 2017 | 20 | Storm, Proctor, Mendoza OpenMFA Token Code Module Decision Tree Client LinOTP DB Computer Full Enforcement RADIUS SSH Server Daemon Daemon SMS LDAP Query Pairing? No Challenge RADIUS Response Query Yes Send Null Request PAM Yes Success Token Code Accepted? No PAM Authentication Error I Dotted arrows represent remote requests TACC MFA | October 17, 2017 | 21 | Storm, Proctor, Mendoza Preparation I Deployment at this scale necessitated center-wide engagement and coordination I As roll out approached, clear communication to staff and users was key I What follows is a preparatory timeline of events leading up to mandatory MFA TACC MFA | October 17, 2017 | 22 | Storm, Proctor, Mendoza Preparation Timeline I Possible MFA solutions were assessed, including commercial and free options I The decision was made to utilize off-the-shelf open-source DIY components January 7, 2015 • Begin MFA assessment August 10, 2015 • LinOTP stood up September 14, 2015 • Hard tokens purchased January 27, 2016 • Web Portal integration February 4, 2016 • OpenMFA development started May 3, 2016 • All technical components in place TACC MFA | October 17, 2017 | 23 | Storm, Proctor, Mendoza Preparation Timeline I LinOTP was installed and configured to work with LDAP and RADIUS I Testing began with FreeRADIUS PAM module to protect SSHD January 7, 2015 • Begin MFA assessment August 10, 2015 • LinOTP stood up September 14, 2015 • Hard tokens purchased January 27, 2016 • Web Portal integration February 4, 2016 • OpenMFA development started May 3, 2016 • All technical
Load more

Recommended publications
  • IBM Multi-Factor Authentication for Z/OS
    Multi Factor Authentication for Linux on IBM Z using a centralized z/OS LDAP infrastructure Dr. Manfred Gnirss Thomas Wienert Z ATS IBM Systems IBM Germany R & D Boeblingen, 18.7.2018 © 2018 IBM Corporation 2 Trademarks The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both. Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by ® are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States. For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml: *BladeCenter®, DB2®, e business(logo)®, DataPower®, ESCON, eServer, FICON, IBM®, IBM (logo)®, MVS, OS/390®, POWER6®, POWER6+, POWER7®, Power Architecture®, PowerVM®, S/390®, System p®, System p5, System x®, System z®, System z9®, System z10®, WebSphere®, X-Architecture®, zEnterprise, z9®, z10, z/Architecture®, z/OS®, z/VM®, z/VSE®, zSeries® The following are trademearks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc.
    [Show full text]
  • Produktinformation
    MULTI-FACTOR AUTHENTICATION DESKTOP-INTEGRATION TOKEN SELF SERVICE & SUPPORT LinOTP Produktinformation DIE MODULARE LinOTP ist eine innovative und fl exibel einsetzbare OTP Plattform zur AUTHENTISIERUNGS-LÖSUNG starken Benutzerauthentisierung. Dank der hochmodularen Architektur arbeitet LinOTP herstellerunabhängig und unterstützt verschiedene Au- thentisierungsprotokolle, Token und Verzeichnisdienste. Die Software ist mandantenfähig, leicht skalierbar, bedienerfreundlichund lässt sich schnell und einfach implementieren. Mit Hilfe von LinOTP können unsere Kunden höchste Sicherheitsstandards mühelos durchsetzen. BASISTECHNOLOGIE OTP LinOTP verwendet bevorzugt Einmalpasswörter (OTP = One Time Pass- word), um die Sicherheit bei beliebigen Anmeldeverfahren zu erhöhen. Einmalpasswörter bieten den Vorteil, dass sie keine clientseitigen Treiber erfordern. Das modulare Konzept ermöglicht die Unterstützung von OTP-To- ken, die unterschiedliche OTP-Algorithmen verwenden. Neben den offenen Algorithmen HOTP (ereignisbasiert), TOTP (zeitbasiert), OCRA (challenge-re- sponse basiert) und mOTP unterstützt LinOTP auch proprietäre Token wie Vasco DIGIPASS-Token, die Versendung von Einmalpasswörtern mittels SMS und die Nutzung von Tagespasswörtern. Dabei spielt es keine Rolle ob es sich um Soft- oder Hardware-Token handelt. Die optionale Verwendung von Hardware-Token, welche für die Benutzer das Einmalpasswort berechnen, kann dazu beitragen die Sicherheit weiter zu erhöhen. OPTIMALE ANPASSUNG Dank des modularen Aufbaus von LinOTP entscheiden Sie selbst, welches
    [Show full text]
  • Progettazione E Implementazione Di Un Servizio Di Autenticazione a Più Fattori Per I Servizi Dell’Ateneo
    ALMA MATER STUDIORUM - UNIVERSITÀ DI BOLOGNA SCUOLA DI SCIENZE Corso di Laurea Specialistica in Scienze di Internet PROGETTAZIONE E IMPLEMENTAZIONE DI UN SERVIZIO DI AUTENTICAZIONE A PIÙ FATTORI PER I SERVIZI DELL’ATENEO Relatore: Chiar.mo Prof. VITTORIO GHINI Presentata da: CRISTIAN MEZZETTI II SESSIONE ANNO ACCADEMICO 2014/2015 1 Glossario ........................................................................................................................... 6 2 Introduzione ...................................................................................................................... 8 3 Identità digitale .............................................................................................................. 12 3.1 Tecnologie di autenticazione .............................................................................................. 14 3.1.1 Form/Basic Authentication .......................................................................................... 15 3.1.2 Kerberos ........................................................................................................................ 16 3.1.3 Smart card e token USB ............................................................................................. 17 3.1.4 RADIUS ......................................................................................................................... 20 3.1.5 CAS ................................................................................................................................ 21 3.1.6 OpenID e SAML
    [Show full text]
  • One Time Passwords
    One Time Passwords fhLUG, Hagenberg, 2016-03-08 One Time Passwords fhLUG, Hagenberg, 2016-03-08 User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t User: jdoe Password: s3cr3t Beweis für Nilpferd User: jdoe Password: s3cr3t Beweis für Nilpferd User: jdoe Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd * Bankomatkarte User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd * Bankomatkarte * Fingerabdruck User: jdoe User: jdoe Password: s3cr3t Password: s3cr3t Beweis für Nilpferd * Bankomatkarte * Fingerabdruck * Gerät, das Zahlenreihe ausspuckt otpauth://totp/Google%3A my.email.address%40example.com ?secret=3po4swfazf65e6dkbrlha5lc65fmsh76 &issuer=Google Prominent Open OTP Variants ● S/KEY – 1995, MD4 (MD5, SHA1) – RFC 1760, RFC 1938, RFC 2289 ● mOTP – 2003, MD5 – motp.sourceforge.net ● OATH HOTP – 2005, HMAC SHA1, Counter based – RFC 4226 ● OATH TOTP – 2011, HMAC SHA1 (SHA256),
    [Show full text]
  • Product Information
    MULTI-FACTOR-ATUHENTICATION DESKTOP-INTEGRATION TOKEN SELF SERVICE & SUPPORT LinOTP Product Information ADAPTIVE MFA / LinOTP is an open source, adaptive multi-factor solution for enterprise 2FA AUTHENTICATION environments. LinOTP is vendor independent and provides a wide variety of solutions which allow for an easy integration. Due to its highly modular architecture LinOTP works vendor-independent and supports different aut- hentication protocols, token and user repositories. The software supports multi tenancy, it is easily scalable, user friendly and can quickly and simply be implemented. With the help of LinOTP the highest security standards can effortlessly be achieved by our customers. BASIC TECHNOLOGY OTP LinOTP mainly uses one time passwords (OTP) to increase the security of all types of logon processes. One time passwords offer the advantage that they do not require a driver from the client side. The modular concept allows for the support of OTP-Tokens using different algorithms. LinOTP supports the open algorithms HOTP (event based), TOTP (time based), OCRA (challenge response based) and mOTP. Besides these proprietary tokens like e.g. Vasco DIGIPASS, the sending of one time passwords via SMS and daily passwords can be used. It is irrelevant whether a customer wants to use softtokens or hardware-tokens. The optional use of hardware tokens, which calculate the one time password for the user, can also contribute to increasing the security. Innovations of the OATH-certifi ed version LinOTP 2.8 include features such as FIDO U2F support, registration of FIDO U2F, preparing email and SMS tokens in a self-service por- tal, temporary email and SMS tokens, multiple challenge response tokens per user with identical token PINs and optimized troubleshooting.
    [Show full text]
  • Protecting Systems with One Time Passwords Scott Nolin Steve Barnet 22 March 2017 Contents
    Protecting Systems with One Time Passwords Scott Nolin Steve Barnet 22 March 2017 Contents 1. Introduction 2. Multifactor Authentication and OTP – Scott and Steve 3. OTP on a single server – Steve 4. Beyond a single server – Scott 5. Conclusion Introductions Scott Nolin - Head of SSEC Technical Computing Group. Steve Barnet – IceCube Why are we here? • Increase security for critical systems • This project especially helps with the problem of a compromised password • This is about improving security, making things better. • Don’t think that ‘This is secure, they’re done’. Even within this subset of topics, we’re continuing to evolve and have plenty of gaps. • We encourage you to share information if you do similar projects, and we’ll all benefit. • Note: the systems and examples we discuss are all centos/redhat linux I asked myself a scary question. What is the easiest and quickest way to compromise every linux host at SSEC? Answer: Compromise My Password Mine, or any sysadmin with full permissions. Thinking about trojans and keyloggers made me consider all the great ways my password could be compromised. Or an ssh key passphrase, same difference - if the Trojan is on the machine where you type the passphrase, your key is owned too. • We have evolved to use configuration management, host our own rpm repositories, and many other things to improve systems management. • That’s great but it also increased our attack surface. • I want to protect these systems better. What if your password is compromised? Multifactor Authentcation and OTP General information and background Multifactor Authentication and OTP One time passwords (OTP) are a convenient and commonly used authentication factor which can help provide multifactor authentication.
    [Show full text]
  • Freeradius LDAP
    University of Piraeus Department of Digital Systems Post graduate Program in Digital Systems Security Master Thesis Installing and Configuring Security Mechanisms Freeradius-MySQL Freeradius-LDAP PAM/USB Modules LinOTP Niskopoulos Nikolaos Student No: MTE 1058 Supervising Professor: Xenakis Christos Piraeus March 2012 This thesis is dedicated to my parents who supported all my choices and efforts 2 Acknowledgements My sincere thanks to Assistant Professor Christos Xenakis and the Postdoctoral researcher Christoforos Ntantogian, my project supervisors, for their valuable input, guidance and support. Thanks to all the lecturers and students at the Postgraduate Program for sharing their knowledge. Special thanks to my family and friends for their patience, ongoing support and encouragement throughout the years. 3 Abstract This master thesis is a compilation of instructions- “how to” guides in order to install and configure security mechanisms that are of crucial importance considering the numerous threats any system administrator has to confront during his daily obligations. The first security mechanism that has been installed and configured was Freeradius combined with MySQL database in Ubuntu 11.10 operating system. The freeradius was installed to a local network and wan configured to authenticate users stored to the SQL database via PAP (Password Authentication Protocol) and EAP-TLS (Extended Authentication Protocol-Transport Layer Security) by using certificates created using the free OpenSSL tool. The second security mechanism was again Freeradius only this time was supported by an LDAP database in Ubuntu 11.10 operating system. The Lightweight Directory Access Protocol (LDAP) is an open standard for accessing directory services, X.500. The protocol runs over transport layer (OSI) where in the internet case is TCP/IP.
    [Show full text]
  • Chemnitzer Linux-Tage 2012 – Tagungsband – 17
    Team der Chemnitzer Linux-Tage: Chemnitzer Linux-Tage 2012 – Tagungsband – 17. und 18. März 2012 Team der Chemnitzer Linux-Tage Chemnitzer Linux-Tage 2012 17. und 18. März 2012 – Tagungsband – Universitätsverlag Chemnitz 2012 Bibliografische Information der Deutschen Nationalbibliothek Die Deutsche Nationalbibliothek verzeichnet diese Publikation in der Deutschen Nationalbibliografie; detail- lierte bibliografische Angaben sind im Internet über http://dnb.d-nb.de abrufbar. Technische Universität Chemnitz/Universitätsbibliothek Universitätsverlag Chemnitz Herstellung und Auslieferung: Verlagshaus Monsenstein und Vannerdat OHG Am Hawerkamp 31 48155 Münster http://www.mv-verlag.de ISBN 978-3-941003-52-1 URL: http://nbn-resolving.de/urn:nbn:de:bsz:ch1-qucosa-83272 Satz und Layout: Jens Pönisch und Monique Kosler Covergraphik: Candida Winkler Graphik Innentitel: Petra Pönisch URL der Chemnitzer Linux-Tage: http://chemnitzer.linux-tage.de Premiumsponsoren VARIA GROUP Weitere Sponsoren R Linux Professional Institute Medienpartner 5 6 Inhaltsverzeichnis 1 Vorwort 11 2 Inhalt der Hauptvorträge 13 2.1 AnyOS . 13 2.2 Bitcoin – das elektronische Geld . 21 2.3 Busverkehr unter Linux . 35 2.4 Entwicklung cyber-physikalischer Systeme: der NAO-Roboter . 45 2.5 Gründen mit freier Software . 53 2.6 Lilypond – ein wenig Revolution muss sein . 61 2.7 MapReduce – Parallelität im Großen und im Kleinen . 69 2.8 Performancemessungen und -optimierungen an GNU/Linux-Systemen 77 2.9 Starke Zweifaktorauthentisierung mit LinOTP . 87 2.10 Strace für Bash-Versteher . 99 2.11 Tic-Tac-Toe Reloaded – Mikrocontrollerprojekt mit Funkübertragung . 109 2.12 Ubiquitos Computing . 117 2.13 Visual Scripting: Scripting the Unscriptable . 131 2.14 Zero Commercial Software Strategy – eine Fallstudie . 137 3 Zusammenfassungen der weiteren Vorträge 147 3.1 Adaptive tickless kernel .
    [Show full text]
  • X.509 User Certificate-Based Two-Factor Authentication for Web
    Technical Report KN{2017{DISY{03 Distributed Systems Laboratory X.509 User Certificate-based Two-Factor Authentication For Web Applications Thomas Zink Marcel Waldvogel Distributed Systems Laboratory Department of Computer and Information Science University of Konstanz { Germany This work was supported in part by the Ministry of Science, Research and the Arts (MWK) of the State of Baden-W¨urttemberg through the funding of project bwITsec. Konstanzer Online-Publikations-System (KOPS) URL: http://nbn-resolving.de/urn:nbn:de:bsz:352-0-414673 Abstract. An appealing property to researchers, educators, and stu- dents is the openness of the physical environment and IT infrastructure of their organizations. However, to the IT administration, this creates challenges way beyond those of a single-purpose business or administra- tion. Especially the personally identifiable information or the power of the critical functions behind these logins, such as financial transactions or manipulating user accounts, require extra protection in the heteroge- neous educational environment with single-sign-on. However, most web- based environments still lack a reasonable second-factor protection or at least the enforcement of it for privileged operations without hindering normal usage. In this paper we introduce a novel and surprisingly simple yet extremely flexible way to implement two-factor authentication based on X.509 user certificates in web applications. Our solution requires only a few lines of code in web server configuration and none in the application source code for basic protection. Furthermore, since it is based on X.509 certificates, it can be easily combined with smartcards or USB cryptotokens to further enhance security.
    [Show full text]
  • Protecting Systems with One Time Passwords Scott Nolin Steve Barnet Introduction
    Protecting Systems with One Time Passwords Scott Nolin Steve Barnet Introduction Scott Nolin - Head of SSEC Technical Computing Group. Steve Barnet – WIPAC/IceCube – Sysadmin and fixer of things Why are we here? • Increase security for critical systems • This project especially helps with the problem of a compromised password • This is about improving security, making things better. • Don’t think that ‘This is secure, they’re done’. Even within this subset of topics, we’re continuing to evolve and have plenty of gaps. • We encourage you to share information if you do similar projects, and we’ll all benefit. • Note: the systems and examples we discuss are all centos/redhat linux I asked myself a scary question. What is the easiest and quickest way to compromise every linux host at SSEC? Answer: Compromise My Password Mine, or any sysadmin with full permissions. Thinking about trojans and keyloggers made me consider all the great ways my password could be compromised. Or an ssh key passphrase, same difference - if the Trojan is on the machine where you type the passphrase, your key is owned too. • We have evolved to use configuration management, host our own rpm repositories, and many other things to improve systems management. • That’s great but it also increased our attack surface. • I want to protect these systems better. What if your password is compromised? Multifactor Authentication and OTP One time passwords (OTP) are a convenient and commonly used authentication factor which can help provide multifactor authentication. They can help if a password is compromised. • An OTP should be resistant to replay attacks – seeing a password should not allow the next to be deduced.
    [Show full text]