Shaman: Token-based Single Sign-on
The Shaman software kit links a cryptographic hardware token to OpenSSH and PAM. After plugging in the token and entering the token PIN, remote systems can be reached through the secure SSH protocols without a need to enter any further password. Remove the token and no more connections can be made.
The Shaman provides some important advantages in comparison to a default setup with passwords for system access:
- Simplicity: End users can understand their security responsibilities because a hardware token is tangible.
- Efficiency: Rather than typing passwords all the time, only enter a PIN once after the token is plugged in.
- Security: The token must be present for every new connection; remove the token and be safe.
Make your choices below to order immediately. The combination of ePass2000 on Windows is known to work very smooth, but you can use any other token with proper PKCS #11 support.
Please contact us if you require support of Mac OS X for your group.
We provide optional Token Services on the tokens that we supply.
Shaman licenses for selected operating systems at €25
ePass2000 tokens for USB, optional, at €41
Token Service Labels, optional, at €5 per token
Typical problems solved
- Single SignOn replaces Passwords -- Authentication is based on an interaction that is different for every new session. This enforces the use of a token. The token is protected with a PIN, that must be supplied only once to the Shaman Agent after it is plugged in.
- Protecting Secrets on your Laptop -- Laptops are very useful, but once stolen they instantly turn to information leaks. The Shaman solves this problem by leaving more information on remote computers, and making it simple to access that information.
How the Shaman works
Current use of computers often demands that we connect to remote systems; for example to retrieve email, to access a database or to upload documents to a central repository. The common approach to protect this is by passwords. But passwords are often dreadful -- both to the user who has to remember them and to the administrator who wants them treated more securely.
These problems can be avoided by replacing the password exchange with an exchange that is based on a cryptographic token; such tokens come in the form of smart cards and USB tokens. They are practical to carry around, and make security a much more tangible subject than any software construct could ever be.
Tokens are treated just like any other key because the physical token is needed to gain access. Due to this, even non-technical end users have a firm grip on their security responsibilities, leading to improved overall security. Perhaps it is only of secondary interest that the level of security offered by a token also greatly improves upon passwords.
The Shaman software package links a token to the commonly used OpenSSH toolkit on Linux and Mac OS X for remote access, and to PuTTY and WinSCP on Windows. The Shaman extends these packages without modifying them, such that other applications that rely on SSH under the hood automatically make use of the Shaman, without any need for special configuration.