What work can the Shaman save me?

It can avoid entering passwords for every remote system access. You simply insert your token, enter the token PIN when it is first needed, and until you unplug the token your logins are free of passwords. At the same time, it is much stronger security than a password can ever be.

Is the Shaman more secure than using passwords?

Oh yes, it is much more secure. You are using strong cryptographic mechanisms. The codes exchanged between client and server are not only much harder to crack, but they are also different for every login.

How fast is an average login?

That mostly depends on the the token, but expect about one second for a normal login. The first login after token insertion is slower, because information must then be downloaded from the token. So in everyday use, the login is hardly noticable.

Can one token access multiple remote accounts?

Yes, and there is no limit. You can safely use the same SSH Key for all remote accounts. Unlike with passwords.

Can more than one token access the same account?

Yes, and there is no limit. Tokens can independently be enabled and disabled on any account.

Is this a Un*x single sign-on solution?

Yes, indeed. The PAM module allows you to login with the token PIN instead of the account password. Once in, most remote access protocols for Un*x can run over SSH connections. Applications that build on top of these tools automatically work with the Shaman, without the need to recompile anything, or even change configurations.

Is this the same as Windows single sign-on?

No, this is a light-weight solution. As typical for Un*x.

Windows single sign-on is based on Kerberos, a complicated infrastructure based on a trusted key distributor and specific compiled-in support in the remote services you want to use. Access is based on tickets that expire after a couple of hours.

The Shaman solution is based on OpenSSH, which is used as a basis for most remote access mechanisms on Un*x systems. Since the Shaman integrates with that basis, all such remote access mechanisms work with the Shaman.

Do I need to setup Kerberos?

Good heavens, no! You only need SSH support, which you probably have already. The only modern OS that comes without SSH by default is Windows; download code for that platform from OpenSSH.org for free.

Must I setup a central authentication server?

No. The PAM module tests if it can use SSH to access an account. That may be on localhost, the machine being logged into.

Can I setup a central authentication server?

Yes, it is possible. The PAM module can be directed to it with authserver=hostname options. All that an authentication server needs to do is accept SSH logins, possibly with a trivial shell such as /bin/true.

It is possible to setup multiple authentication servers -- the PAM module accepts a login if only one of these accepts the SSH connection.

What happens when I unplug the token?

Your ability to setup any new connections with token-stored SSH Keys is gone. Please note that existing connections are not terminated.

Note that if you would use Kerberos, you would receive tickets for a particular period, usually a few hours at a time. This means that Kerberos-based systems would still allow logins after the removal of a token.

Does the Shaman integrate with Telnet or FTP?

Of course not! Nobody accesses Un*x through Telnet or FTP because these protocols are notoriously insecure. Every security-conscious admin switched to SSH (and the included SCP tool) for remote account access. Excellent desktop tools exist to graphically present this functionality on Windows, Mac OS X and Un*x.

Does the Shaman integrate with backup sytem X?

Probably. If your backup systems uses rsync, it can easily be configured to run over SSH.

How portable is the Shaman solution?

Very. In principle, it can bind out-of-the-box OpenSSH toolkits to any token that comes with standard Cryptoki (a.k.a. PKCS #11) middleware. However, for ease of use the Shaman distributions are currently built specifically for one kind of token. If no Shaman distribution is available for your combination of OS and token, please contact us.

For remote server access, the only two widely deployed SSH implementations are supported, namely OpenSSH and commercial SSH. To enable or disable tokens on the remote server, we do need a few basic Un*x commands that are already available on a normal system, or otherwise easily installed.

What do I risk when I use the token on an untrusted system?

If you know that the middleware (the token's Cryptoki or PKCS #11 library, the Shaman and the ssh-askpass package) are properly installed, you are not risking much -- other applications cannot tap into the token unless you enter the PIN into them.

If you cannot trust these three packages, as for example in an Internet café, you are risking that a rogue application uses your token to gain access to the remote servers while the token is plugged in. In any case, after removal of the token, you are always safe.

If you want to be absolutely secure while using someone else's system, you should consider booting from a live CD such as Knoppix, which is a Linux distribution that runs from a CD. You would have to extend it with the proper middleware, though.