Ask Slashdot: Open Hardware/Software-Based Security Token?

Qbertino (265505) writes I've been musing about a security setup to allow my coworkers/users access to files from the outside. I want security to be a little safer than pure key- or password-based SSH access, and some super-expensive RSA Token setup is out of question. I've been wondering whether there are any feasible and working FOSS and open hardware-based security token generator projects out there. It'd be best with ready-made server-side scripts/daemons. Perhaps something Arduino or Raspberry Pi based? Has anybody tried something like this? What are your experiences? What do you use? How would you attempt an open hardware FOSS solution to this problem?

Yubikey is the way to go...

[bubulubugoth]

Yubikey is a USB OTP generator, it can be integrated quite easily and it has ssh and a little fast dig up I found this link about yubikey and openvpn..

http://www.yubico.com/applicat...
http://forum.yubico.com/viewto...

OATH

[Roadmaster]

My organization uses 2FA with a standard that's compatible with Google Authenticator and a Yubikey (OATH: http://en.wikipedia.org/wiki/I... and http://www.nongnu.org/oath-too...). People with smartphones could use Google Authenticator to obtain auth tokens; an inexpensive ($25 per person) yubikey provides a very easy way to enter tokens without much hassle; and the open-source oathtool can generate tokens for other uses (i.e. add a "paper" authentication device with a long list of sequential tokens).

Google Authenticator for software tokens

[heypete]

For software tokens, Google Authenticator has apps for Android, iOS, and BlackBerry. They implement the TOTP standard, so any compatible code-generating software (such as the J2ME app I have on my non-smartphone) will work with it.

They also have a PAM module that works with SSH (or anything else that uses PAM). I've used it before, and it works great.

For reference, neither the apps nor the PAM module depend in any way on Google services, they don't send any data to Google, and will work perfectly happily in a totally offline environment (assuming all the servers and client apps have synchronized clocks).

Re:You can create a token but keep it off nets

[TheCarp]

All true and yet, I don't see how any of that matters. The point of using the phone is it is something you have, and its not tied to the device you are connecting with. Yes, you may lose the phone more often, BUT...that just means you replace the phone and reload the software with a new key....BFD.

Stealing your phone doesn't reveal what systems you would connect to. Getting access to your laptop, doesn't provide the authentication token. Its about using two factors that are not tied to eachother in a way that a remote attacker can discern that improves the security of such a system.

which is why I strongly disagree that an app on the laptop is better.... because an app on the laptop is on the laptop, one device which connects to it all. Or another way to think of it...where is the safest place for the key to your safe.... in an unmarked envelope in your house....or in an unmarked envelope at your friend's house?

Even if your friend's house is less secure than your own, its still the better place because.... there is no way for the attacker to make the association needed to find it....even if it is your friend's house that he robs, even if he finds the key there!

Sure its not protection from specific kinds of attackers, but, if your security measures need to stand up to NSA levels of scrutiny, I have no problem declaring your requirements out of scope for this level of discussion, and far beyond most people who could benefit from simple tokens.