Great Circle Associates Firewalls
(April 1994)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Mixing Authentification Strategies
From: alastair @ cadence . com (Alastair Young)
Date: Fri, 1 Apr 1994 10:00:51 -0800
To: firewalls @ greatcircle . com

>I've been looking at skey, one-time pads, etc.  One issue which doesn't
>seem to be addressed is the mixing of authentication types.  For example,
>inside a reasonably secure net one might chose to use `ordinary' unix
>authentication.  When accessing from outside, one might want to normally
>use skey, but fall back to a set of memorized one-time passwords if no
>local/trustworthy skey generator is available.
>The trick is how to decide on the fly which to use.  Alternate ports for
>alternate authentications involves excessive memorization.  What I'd do
>if I were recoding login.c is to let one modify the login id to indicate
>desired authentication type:

Take a look at the firewalls toolkit from, this allows you to
specify a different authentication protocol by user and run everything from
a central authentication server over encrypted channels. I'll be expanding
our version of it to allow the same user to use strong authentication (in
our case SecurID or Skey), in some instances and passwords in others. This
will involve expanding the account record format somewhat. Marcus is
against adding too much functionality to the toolkit as complexity ->>
bugs, but we need this flexibility in our environment, particularly in the
transition from passwords to something better. Have source, will travel :-)

I am particularly keen on using the TIS authsrv daemon to do this,
specifically because it does allow multiple authentication protocols
simultaneously and you  don't have to hack your client programs (login,
ftpd etc) every time you want to try out a new vendors authentication
token. We are using SecurID now because it is the simplest from the user's
point of view. What I'm really waiting for is the iPower card in SmartDisk
format. SecurID in SmartDisk format would be nice too, particularly for ppp
applications where the system drops the line when its quiet and
re-establishes the connection automatically when required. Having an
authentication daemon which acts as a clearing house for multiple protocols
gives real flexibility for future changes in technology. 


Alastair Young                                     _ 2 Ariel NH Red Hunters
Cadence Design Systems, Information Services     )/___     _  
555 River Oaks Parkway, 4B1                    __/(___)_*##/c 56 Red Menace 
San Jose CA 95134         Fax: (408)894-3487  / /\\|| \ /  \ 
alastair @
 cadence .
 com           (408)428-5278  \__/ ----'\__/ 49 TwinportKit
These statements and opinions are mine, not those of Cadence Design Systems

Indexed By Date Previous: "ICMP redirects"
From: Luther Garcia <luth @ sprintlink . net>
From: Luther Garcia <luth @ sprintlink . net>
Indexed By Thread Previous: Re: Mixing Authentification Strategies
From: charisse @ SmallWorks . COM (Charisse Castagnoli)
Next: Re: Mixing Authentification Strategies
From: sangster @ reston . ans . net (Paul Sangster)

Search Internet Search