Good morning, I hope the weekend is going well for everyone. Our team was diving into another major development cycle when Izzy, our Golden Retriever, pawed at the lake laptop to remind me that we hadn't finished our 'Holiday project'. So Izzy and I headed out to the lake for a long weekend of skiing, coding and the consumption of single malt.
With the weekend drawing to a close, on behalf of Enjellic Systems Development, Izzy would like to announce the availability of a major upgrade to the Hurdo package. The update is available at the following URL: ftp://ftp.hurderos.org/pub/Hurdo/Hurdo-0.3.0.tar.gz Hurdo implements OpenSSH/PAM support for Kerberos service credential forwarding. It provides infrastructure for using remote sudo based privilege escalation without the risk for horizontal privilege escalation, in the event an administrator should log into a compromised host. While focused on the needs of sudo it will provide authentication for any PAM capable application on a remote host. This release is a feature release with the following important changes: * PKINIT support. * Credential forwarding with remote login tracking. * Support for multi-homed hosts. * Keyshell credential manager. * Optional MIT Kerberos patch to add PKCS11 KEYRING: support. Support for PKINIT allows organizations to project two-factor authentication into remote hosts without physical access to those systems. In combination with credential forwarding, this provides a comprehensive security solution for the common systems administration model of logging into a bastion host to gain access to hosts on an internal network. The PKINIT support has been tested using Yubikey-NEO hardware devices with the open-sc library. The keyshell credential manager provides support for a 'hard-token' security model using soft tokens in the absence of hardware devices. It extensively leverages Linux keyring support to safely allow lower entropy pincodes to be used to authenticate repetitive sudo invocations. Hurdo is designed, developed and maintained by system administrators who do system management of remote hosts with SSH and sudo all day, every day. Izzy hopes our experiences and technology are beneficial to others in similar roles. Izzy would like to extend a 'bark-out' to David Howells for all of his work on the Linux keyring support. The new features are heavily dependent on leveraging this infrastructure for some rather novel IPC support. Best wishes for a productive week from the glacial moraine country of West-Central Minnesota. Dr. Greg and Izzy PS: For those sites who find that Hurdo saves them from devastating security breaches, Izzy enjoys the large MilkBone(tm) dog biscuits... :-) As always, Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC. 4206 N. 19th Ave. Specializing in information infra-structure Fargo, ND 58102 development. PH: 701-281-1686 FAX: 701-281-3949 EMAIL: g...@enjellic.com ------------------------------------------------------------------------------ "If you ever teach a yodeling class, probably the hardest thing is to keep the students from just trying to yodel right off. You see, we build to that." -- Jack Handey Deep Thoughts ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
