VMware Cloud Community
echiu
Contributor
Contributor
‎05-19-2009 04:41 PM

2-factor authentication for ESX and vCenter management (VIC and ssh)

Hi,

HyTrust is working on implementing 2-factor authentication for ESX and vCenter as part of HyTrust Appliance's access management capabilities for our upcoming 1.1 release. This is for both vCenter and direct-to-host management connections using Virtual Infrastructure Client or ssh. We are currently looking at implementing support for RSA SecureID, smart card, Radius and kerberos.

We are interested in getting additional input on our use cases/workflow for supporting 2-factor authentication as well as beta sites. Let me know if you have an interest in participating.

For those that don't know about us, HyTrust Appliance provides control and visibility for virtual infrastructure. The HyTrust Appliance is a single-point-of-control for access management, audit logging, and consistent hypervisor configuration. The Community Edition of HyTrust Appliance is a full-featured version of the product protecting up to 3 ESX hosts and is totally free to the Community -- download your copy today at http://www.hytrust.com/community.

Please contact me if you have an interest in working with us on 2-factor authentication.

Thanks,

Eric Chiu 650.681.8111 direct echiu@hytrust.com www.hytrust.com </div>

0 Kudos
4 Replies
Texiwill
Leadership
Leadership
‎05-20-2009 07:27 AM

Hello,

Is the two factor auth just for the HyTrust Appliance or are you implementing Two Factor within Windows and ESX? Can you give some details on what would be protected by this form or authentication. Is it this:

two factor auth <-> Hytrust <-> single factor Auth <-> ESX/vCenter

Or this

two factor auth <-> Hytrust <-> two factor Auth <-> ESX/vCenter


Best regards, Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst[/url]
Now Available on Rough-Cuts: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
echiu
Contributor
Contributor
‎05-20-2009 09:19 AM

Hi Ed,

This would be primarily for two factor authentication to ESX and vCenter. HyTrust Appliance intercepts and proxies all management traffic going to ESX and vCenter -- this includes ssh, VIC, Web management, PERL, Powershell, etc. By proxying the management traffic, we can enforce central authentication and role-based authorization through our XACML-based policy engine.

We are working with a few government agencies and financial companies, so that they can use two factor authentication for both ESX and vCenter management (i.e., direct-to-host connections through ssh and VIC or VIC connected to vCenter). The government agencies want smart card (ActivIdentity CAC) and financial wants RSA SecureID. Currently, the only way to enable this today is through customizing PAM or deploying agents on each host -- which is very difficult to set up and cumbersome to maintain. Since we are a single-point-of-control, implementing two factor in our authentication module is very easy for us to do and simple for customers to deploy.

For smart card, we are planning to support pass-through authentication for VIC and ssh. For SecureID, we can definitely support pass-through, but are also thinking about a concatenated password approach (password + PIN)

We will aslo be enabling 2-factor authentication for HyTrust Appliance management, but not sure that that will be in 1.1 since it is not the primary requirement of the customers we are working with. Let me know if you have any further questions.

Best,

-Eric

Eric Chiu HyTrust, Inc. 650.681.8111 direct echiu@hytrust.com

0 Kudos
echiu
Contributor
Contributor
‎01-05-2010 09:19 PM

Fixing HyTrust search in VMware communities.

0 Kudos
Texiwill
Leadership
Leadership
‎01-08-2010 09:43 AM

Hello,

With HyTrust in the middle it is no longer direct to host, but a proxied request. So your two factor is really:

Two Factor Auth <-> HyTrust <-> Standard AUth <-> ESX/VC

If ESX/VC both have two factor auth modules then you are passing that data through as well?


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|
[url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcast]Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos