> I must add that admin
> of these things is great, especially if you have remote users.
That's fascinating, because I thought admin of these things was a royal pain
in the butt. For one thing, the ONLY way to set the PIN number requires
running the "sdshell" program, which requires that the user have a login
shell account on a secured system. If you only want the users to access
your systems through a proxy login server using the SecurID card
to authenticate, it makes setting the PIN a real pain. Plus I
found the menu-driven administration program very annoying; absolutely
no way to automate any of the routine tasks. It is also quite easy for
a user to disable their own card by making too many consecutive mistakes
logging in. I understand that the reason for this is to prevent random
guessing of the password, but the administrator has almost no control
over this.
Another problem is that Security Dynamics works on the TRUST US model (see
previous recent flame war) in that their algorithm for generating passwords
is proprietary and we have no way of knowing how secure it REALLY is.
On the positive side, the users like these cards, because they don't have
to mess with a challenge/response scheme or enter anything into the card.
They just read the password and enter it to the system.
> But, all future
> connections are made on PIN number only, so the PIN number must be unique.
I'm pretty sure you are mistaken here (I'd like to know exactly how you
came to this conclusion just in case it is I who is mistaken). Future
connections require the PIN number *and* the password from the card,
and as far as I know there is no requirement that PINs be unique.
--Greg
References:
|
|
