Ask Slashdot: Open Hardware/Software-Based Security Token? 113
Qbertino (265505) writes I've been musing about a security setup to allow my coworkers/users access to files from the outside. I want security to be a little safer than pure key- or password-based SSH access, and some super-expensive RSA Token setup is out of question. I've been wondering whether there are any feasible and working FOSS and open hardware-based security token generator projects out there. It'd be best with ready-made server-side scripts/daemons. Perhaps something Arduino or Raspberry Pi based? Has anybody tried something like this? What are your experiences? What do you use? How would you attempt an open hardware FOSS solution to this problem?
yubikey (Score:3, Informative)
www.yubico.com ... not quite FOSS but its your ticket....
use SMS (Score:4, Informative)
You can set up 2nd factor using SMS pretty easily, and have it text you a second password that's good for five minutes.
Definitely the cheapest option.
If you make your own token with an arduino and an LCD and a real time clock and a battery you've already paid for the RSA tokens.
=Rich
Yubikey is the way to go... (Score:5, Informative)
Yubikey is a USB OTP generator, it can be integrated quite easily and it has ssh and a little fast dig up I found this link about yubikey and openvpn..
http://www.yubico.com/applicat... [yubico.com]
http://forum.yubico.com/viewto... [yubico.com]
OATH (Score:5, Informative)
My organization uses 2FA with a standard that's compatible with Google Authenticator and a Yubikey (OATH: http://en.wikipedia.org/wiki/I... [wikipedia.org] and http://www.nongnu.org/oath-too... [nongnu.org]). People with smartphones could use Google Authenticator to obtain auth tokens; an inexpensive ($25 per person) yubikey provides a very easy way to enter tokens without much hassle; and the open-source oathtool can generate tokens for other uses (i.e. add a "paper" authentication device with a long list of sequential tokens).
Google Authenticator for software tokens (Score:5, Informative)
For software tokens, Google Authenticator has apps for Android, iOS, and BlackBerry. They implement the TOTP standard, so any compatible code-generating software (such as the J2ME app I have on my non-smartphone) will work with it.
They also have a PAM module [google.com] that works with SSH (or anything else that uses PAM). I've used it before, and it works great.
For reference, neither the apps nor the PAM module depend in any way on Google services, they don't send any data to Google, and will work perfectly happily in a totally offline environment (assuming all the servers and client apps have synchronized clocks).