Slashdot Mirror

← Back to Stories (view on slashdot.org)

Free/Open ACE Servers?

Posted by Cliff on from the escaping-the-proprietary-trap dept.

Tsk asks: "One of the companies I work for uses ACE server for which I need a SecurID. This works fine in closed source Unix environment, however at home I have a mix of closed source unix, free unixes and Windows machines. I would like to be abe to use my SecurID at home and thus secure my network. I'm trying to do this because I have a client that only has BSD/Linux servers, who would like to implement a SecureID based solution. I did a Google search already using 'ACE server Open' and 'ACE server Free' and received no results. I'm wondering if such setup is doable, if the software to build it is available?"

5 of 25 comments (clear)

  1. I don't think this would work by krangomatik · · Score: 3, Informative

    As far as I know you can't do this. In order for a server to auth your token it would have to know what the token was seeded with. When you buy tokens they send you a floppy disk with a file on it that needs to be read by the server before it can authenticate your token.

  2. That's RSA-S's product by martin · · Score: 4, Informative

    #include "I_used_to_work_for_RSA_security.h"

    There's a whole gammet of copyright and patent stuff in the SecurID tokens and ACE/Servers.

    This is where RSA-Security make their money and they are hardly about to open this stuff up. Yes I know the big money spinner are the tokens (you have to buy an ew one every 3 or 5 years as the battery dies after that period), but they are hardly going to open up their algorithm for inspection by 'the world at large'. IF their where a problem with the problem I don't thing they'd take take lightly to people exposing it (can we say DCMA).

    Of course these things have been out there for many years and no-one has yet reverse engineering the algo and the algo has some very repected people look at it (they boought RSA a few years ago).

    But there's very very little chance of you replicating this stuff with 'free' software.

  3. Support for Linux by steve.m · · Score: 3, Insightful

    I hope you weren't expecting someone to have somehow magically reversed engineered the server for linux.

    1. it would be a cryptocracking nightmare.
    2. It's illegal - RSA wouldn't allow it and would stop people from hurting their revenue stream.

    And assuming someone had done it, where would you get the Tokens from. They don't come free in cereal packets....

    If you dont mind spending the mony, you don't have a problem

    The ACE/agent is available for Linux. See Agent Support. OK, so BSD isn't supported, but you could play around with the Linux compat stuff or have them all authenticate from the Linux box running ACE/client.

    You will have to run an ACE/server on Windows unless they've got Solaris, HP-UX or AIX. See Server Support

    People on slashdot seem to be obsessed with getting something for nothing. SecurID is *a really good thing* (we use it at work) - do you think that all that work by Crypto experts could be duplicated by a few spotty geeks with too much time on their hands? Get a grip.

  4. wake up by johnjones · · Score: 4, Insightful

    err

    why use this stuff when I can offer the CEO's secetry $10k in cash and get any information I want
    on top of this you pay for this and you dont know whats inside !

    so how do you prove its secure ?

    hell you trust software companys more than I ever will
    (for this level of stupidness you must pay)

    regards

    john jones

  5. S/Key is now OPIE, & built into *BSD, other Un by Nonesuch · · Score: 3, Informative
    When deploying a S/Key derived OTP, you will want to take care in the selection of crypto algorithms. The original MD4 S/Key implementation has serious known weaknesses. MD5 is suspect.

    The paranoid admin will deploy OPIE with SHA1 or RIPEMD-160, but there are very few clients/servers with support for anything beyond MD5.

    Here's the scoop on the name change:

    "One-time Passwords In Everything" (OPIE) is a freely distributable software package originally developed at and for the US Naval Research Laboratory (NRL). Recent versions are the result of a cooperative effort between of NRL, several of the original NRL authors, The Inner Net, and many other contributors from the Internet community.

    OPIE is an implementation of the One-Time Password (OTP) System that is being considered for the Internet standards-track. OPIE provides a one-time password system. The system should be secure against the passive attacks now commonplace on the Internet (see RFC 1704 for more details). The system is vulnerable to active dictionary attacks, though these are not widespread at present and can be detected through proper use of system audit software.

    OPIE is primarily written for UNIX-like operating systems, but work is underway to make applicable portions portable to other operating systems. The OPIE software is derived in part from and is fully interoperable with the Bell Communications Research (Bellcore) S/Key Release 1 software. Because Bellcore claims "S/Key" as a trademark for their software, NRL was forced to use a different name (they picked "OPIE") for this software distribution.

    The "primary" OPIE site is http://inner.net/opie
    --

    I do not deploy Linux. Ever.