DIY - RSA SecurID
 

i work for a small firm that does eco related matters, and we have allo0t of road warriors.

now these guys go anywhere, there at conferences, events, and on the road, and i want a secure access method for them to access office.


now the office system they are accessing is only for file pickups and dumps, like heres a new memo and drop off your latest report type crap.


BUT, some of there work is goverment level, and this is a goverment funded place, mostly, and as such we need some better security.


i want to go with something like RSA SecurID, but i dont want to pay that sort of money. i am not asking for RSA SecurID for free, but is there a DIY open ended (SSH ish thingy) like RSA SecurID that is open source, free and DIY - or cheap??

You might want to search with google for: opie s/key pam. Maybe though "tpm" into the search and also read through the rfcs: 2289 and 2244.

augurseer,

If there are notebook computers out there with confidential data then you might want to think about something to encrypt that data in case a computer is lost or stolen.

For secure transfer of files you can use rsync over SSH. Setting up a virtual private network (VPN) is another option.

A VPN is the best solution for sustained connections since you initiate a secure tunnel through the "home base" to the internet as though you are on the LAN (meaning you have the same work restrictions like proxies and filtering) and any traffic between client and server is encrypted. I think there's a KDE gui for the OpenVPN client, kovpn or something obvious like that. As far as simple secure transfers, scp is cp over SSH, it uses rsync syntax.

If you are asking specifically about one-time passwords, here is a possible solution:
https://www.grc.com/ppp.htm

Be sure to check out the "other ppp software" link since it has info on PAM, JAVA, PHP, etc implementations. Technically, this is better than the RSA cards since you have a greater passphrase sample space and the chance for replay is less.

DaCapn

I don't get why "government level" should need better security than an individual - at least in a country I would like to live in? But that aside, the most reliable method is to encrypt the data, and change keys as often as possible conveniently. And not just to-be-transferred data, but the harddisks also; one of the security aspects too many people forget is that even if you have a 99% bullet proof transfer channel, the moving end (like a laptop) can always be stolen, and that means lots of time to dig the data out. None of the encryption methods is fully secure, but their main idea is that it is impossible in a sane amount of time to decrypt the information without a known key, and that the key is impossible to generate/try in a sane amount of time. So encrypt both the disks and the transfer channel, and change keys at times to make it more difficult to break trough.

At the moment, especially if you don't want to pay (a lot of )money, (open)SSH is your best friend. But whenever the data is someplace else than the sender or recipient, it's vulnerable.

Check this if you are interested in KDE front-end to VPN (of course there are front-ends to other desktop things too than just KDE, but DaCapn mentioned that): home.gna.org/kvpnc/en/index.html

all of your responses were great, thanks.



as for the govt issue, damn ain't it true. This company i am do some work for has to double and triple check its everything before even thinking about making coffee in the morning cause it is govt money and supplies.


They don't flush without asking for help, and whats worse is i have to pass every IT idea past some little pencil pusher who thinks his computer is better just cause its a mac.




at any rate all of your advice was great and shall be poked through very much.


thanks

I'm curious, what did you do?