On Fri, Feb 22, 2002 at 03:47:53PM -0500, Utsav Ratti wrote: > The problem I am trying to solve involves administrative logins to our > firewalls, which currently run on Redhat Linux 6.2. In order to provide > administrative accountability, individual accounts have to be created > on each box for all of the administrators, and their passwords have to > be maintained. Obviously, this doesn't scale well as we add boxes.
Why not? You should be automating this. > We have tried to leverage our existing SecurID authentication system as > a way of strengthening the authentication model on the firewalls and > eliminating the need to use host-specific user accounts. However, with > the current RSA ACE/Agent for Linux, one must still login to the local > machine before being prompted for the SecurID login. I'm looking for a > way around that by leveraging pam_radius to talk to our existing Steel > Belted RADIUS servers, which are already configured to proxy to our > ACE/Servers. You are using 'sdshell'? You could use pam_securid instead. You'll still have to login as the user (ACE/Server has to know which token to check against), but you could tweak the pam_securid module to only use the username for auth and always login as some specific account. Although, I would discourage this. > The problem is that pam_radius, from what I have been able to gather, > does not support New PIN Mode, Next Tokencode Mode and other > ACE-specific messages, which would be needed to properly support ACE > authentication on an ongoing basis. Is anybody working on this, > considering to do so, or has any alternative suggestions on how I might > be able to do this without requiring two logins? pam_radius fully supports those functions -- as far as it is able. ie, pam_radius will pass Access-Challenge's to the user as long as it keeps receiving them. You problem is that SBR must not be passing on those messages correctly. > Any help would be appreciated. Try pam_securid. /fc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
