On Tue, 23 Oct 2001, David Lang wrote: > the other though I've had on this (but haven't taken the time to pursue) > is if openssh can be configured to use PAM then it may be possible to use > a PAM module to do the token c/r.
I dunno about challenge/response tokens, I've used a PAM Raduis authenticator to auth SSH under Linux, and the module was either supposed to run on Solaris, or not too difficult to get there if you're using SecureID and willing to let the ACE server do RADIUS. > and I'm not saying it's the right thing to use as a companies internet > firewall either :-) I primarily use it for internal firewalls where I want > the strong authentication it provides (for services that support it) and If you're not doing strong auth, or you want to have some fun writing code, Apache's mod_proxy can be made to auth proxy requests- I never had much luck getting a clean-looking content filtering mechanism grafted on though, and one-time tokens like Secure-ID took more effort than it was worth (Couldn't ever figure out if I could do cookies to the proxy server and building a seperate credential caching daemon seemed way more trouble than talking our firewall reseller into an Enterprise license ;) ) > I would say that I wished that someone else would come up with a set of > proxies and a authentication engine similar to what the FWTK provides, but > I guess the job it does is simple and complete enough (again within it's > limits) that there's not enough reason for anyone to reinvent the wheel. There are some proxy projects around- I'm not sure how strong any of the auth stuff is though. These days you can almost get away with just supporting http/https though. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
