Shaman: Single Sign-on for Linux/Unix
Simple authentication relies on a user name and its related
password. The next level beyond username and password is
called two-factor authentication-something you know (your
PIN) and something you have (ePass).
The Shaman software kit links a cryptographic hardware token to OpenSSH
and PAM. After plugging in the ePass2000 and entering the token PIN,
remote systems can be reached through the secure SSH protocols without a
need to enter any further password. Remove the token and no more
connections can be made.
The Shaman software package links a token to the commonly used
OpenSSH tool for remote access. The Shaman extends SSH without modifying
it, such that other applications that rely on SSH under the hood
automatically make use of the Shaman, without any need for special
A simple configuration line in the proper PAM configuration file
suffices to inform your system that it should start up the Shaman
already while the user is authenticating to the desktop; once started
properly, the user is logged in to the token and need not enter any
further passwords as long as the token remains plugged in.
Advantages of using a token for SSH
The Shaman provides some important advantages in comparison to a
default setup with passwords for system access:
- Simplicity: End users can understand their security
responsibilities because a hardware token is tangible.
- Efficiency: Rather than typing passwords all the time, only
enter a PIN once after the ePass is plugged in.
- Security: The ePass must be present for every new
connection; remove the token and be safe.