Re: RSA SecurID soft tokens under FreeBSD
On Fri, 1 Jun 2007 13:15:22 -0400
[EMAIL PROTECTED] wrote:
I'm
interested in monitoring RSA SecureID using Nagios.
Hi Mark,
what do you mean by monitoring SecureID ? you mean, to monitor auth failures
/ successess? performance of the related services?
I would say it's a matter of knowing how the information is presented by RSA's
software, and then having Nagios monitor that...
_
{Beto|Norberto|Numard} Meijome
Always listen to experts. They'll tell you what can't be done, and why.
Then do it.
Robert A. Heinlein
I speak for myself, not my employer. Contents may be hot. Slippery when wet.
Reading disclaimers makes you go blind. Writing them is worse. You have been
Warned.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RSA SecurID soft tokens under FreeBSD
I'm not sure this email is going to go to the proper place - I'm interested in monitoring RSA SecureID using Nagios. Mark Law Manager, EDT and Security Services Thomson Global Technology Infrastructure (TGTI) (734) 913-3775 Phone (734) 260-5740 Cell (734) 913- 3500 Fax [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RSA SecurID Pam Module Support?
We have recently purchased an RSA SecurID Appliance and there are no native libraries for *BSD OS's. I have downloaded and installed the appropriate files within the Linux Compat environment, but I'm not having any success making it work. Specifically, the key file in question is /compat/linux/lib/pam_securid.so. When I add the appropriate configuration line to /etc/pam.d/sshd and attempt to log in I get the following: May 3 09:43:01 ad-mon01 sshd[30508]: in openpam_load_module(): no /compat/linux/lib/pam_securid.so found May 3 09:43:01 ad-mon01 sshd[30508]: fatal: PAM: initialisation failed Of course, the file actually does exist. -rwxr-xr-x 1 1047 900 895304 May 2 11:13 /compat/linux/lib/pam_securid.so Has anyone had any success getting this .so to work under FreeBSD, specifically 6.2 Release? Hi Michael, We're also running some RSA SecurID Appliances. Since we need the support from RSA and that FreeBSD is not listed in their supported OS matrix, we decided to use RedHat for the front-end HTTP servers to run their module. All the rest of our business application that requires RSA authentication is running under FreeBSD. IMHO you should only use an RSA supported OS to run their module. Because otherwise you won't receive any help from them if they know you're running this under FreeBSD. Sad, but unfortunately true. Good luck, David -- David Robillard UNIX systems administrator Oracle DBA CISSP, RHCE Sun Certified Security Administrator Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RSA SecurID Pam Module Support?
Hello All: We have recently purchased an RSA SecurID Appliance and there are no native libraries for *BSD OS's. I have downloaded and installed the appropriate files within the Linux Compat environment, but I'm not having any success making it work. Specifically, the key file in question is /compat/linux/lib/pam_securid.so. When I add the appropriate configuration line to /etc/pam.d/sshd and attempt to log in I get the following: May 3 09:43:01 ad-mon01 sshd[30508]: in openpam_load_module(): no /compat/linux/lib/pam_securid.so found May 3 09:43:01 ad-mon01 sshd[30508]: fatal: PAM: initialisation failed Of course, the file actually does exist. -rwxr-xr-x 1 1047 900 895304 May 2 11:13 /compat/linux/lib/pam_securid.so Has anyone had any success getting this .so to work under FreeBSD, specifically 6.2 Release? Regards and Thanks, Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RSA SecurID Pam Module Support?
Michael K. Smith - Adhost wrote: Hello All: We have recently purchased an RSA SecurID Appliance and there are no native libraries for *BSD OS's. I have downloaded and installed the appropriate files within the Linux Compat environment, but I'm not having any success making it work. Specifically, the key file in question is /compat/linux/lib/pam_securid.so. When I add the appropriate configuration line to /etc/pam.d/sshd and attempt to log in I get the following: May 3 09:43:01 ad-mon01 sshd[30508]: in openpam_load_module(): no /compat/linux/lib/pam_securid.so found May 3 09:43:01 ad-mon01 sshd[30508]: fatal: PAM: initialisation failed Of course, the file actually does exist. -rwxr-xr-x 1 1047 900 895304 May 2 11:13 /compat/linux/lib/pam_securid.so Has anyone had any success getting this .so to work under FreeBSD, specifically 6.2 Release? The last time i tried this i had no luck (2 or 3 years ago, i forget now) I was trying to authenticate against ACE server rather than a Appliance and finally ended up using pam_radius and using the ACE server as a radius server which worked pretty well. good luck, Vince Regards and Thanks, Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RSA SecurID soft tokens under FreeBSD
Hi, Does anyone use RSA SecurID soft tokens under FreeBSD? I'm writing a end-to-end monitoring app and will be needing to authenticate using SecurID, and have come up pretty empty-handed in my search for more info. Thanks, Marcus Hi Marcus, We're using Nagios to monitor our RSA SecureID websites. Nagios is in the FreeBSD ports as net-mgmt/nagios. Basically, it's just a simple perl script wrapped into Nagios. It works very well. Let me know if you need more info. Cheers, David -- David Robillard CISSP, RHCE, SCSA Montreal: +1 514 966 0122 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RSA SecurID soft tokens under FreeBSD
Hi, Does anyone use RSA SecurID soft tokens under FreeBSD? I'm writing a end-to-end monitoring app and will be needing to authenticate using SecurID, and have come up pretty empty-handed in my search for more info. Thanks, Marcus ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD and RSA SecurID Authentication
List, This post is really for archival purposes in the event that someone else is looking into centralized authentication with RSA SecurID and FreeBSD (or any other *nix platform for that matter).. The organization I currently work for has a large ($$$) investment in RSA SecurID (for VPN use mainly) and like most technology deployments around here it is not used to it's full capability. With the onset of SOX and the like, password use/policy/management has become a rather large headache. So for us, SecurID made sense (at least in theory): centralized, one time passwords. ( Yes, I know there are other options for centralized Unix account administration, but to this point we have only used local accounts and some SecurID. And our goal was to leverage existing infrastructure. ) Our Unix environment, in a phrase: you build it, we'll run it. So it was off to RSA to see what agents/clients are currently available. Now we've be running older versions, in a limited capacity, of the RSA agents for some time (sdshell: a shell that requires SecurID authentication), but the support is limited (HP-UX, Solaris, AIX). Then I noticed an available PAM module, joy! But the joy was short lived, it only supports Solaris and RHE Linux. So, when all else fails you head to google... What I found was a lot of people in the same boat (on various platforms). I found a few possible solutions, but not anything I felt confident about. So back to square one. Then I remembered that our VPN environment uses SecurID, but via RADIUS. Ahhh... Knowing that FreeBSD already had a RADIUS PAM module, it was my first test platform (5.3). Once everything was configured it worked like a charm. Now for the rest of the environment... Linux: Not a Problem (most distros come with the FreeRadius PAM module), Solaris: Used PAM module from FreeRadius, HP-UX: Also used module from FreeRadius (it was a bear to get compiled), AIX: Haven't gotten to this one yet, but I have my fingers crossed ;-). Everything at this point appears to work well and the best part is that the solution/setup is the same for all! A 'very quick' overview of the configuration... 1 - A RSA ACE Server running and configured with RADIUS (currently runs on Solaris/HP-UX and WIndows?) 2 - A client server with a Radius PAM Module 3 - Create a 'Shared Secret'. 4 - Configure the RSA ACE/RADIUS server and the client server with 'shared secret'. (PAM module uses /etc/radius.conf for 'shared secret', servername, etc) 5 - Configure PAM/sshd (or whatever PAM aware services) to require RADIUS authentication 6 - Configure your local users. (local username must be there SecurID username) here are some links... http://www.freeradius.org/ http://www.freeradius.org/pam_radius_auth/ http://www.faqs.org/rfcs/rfc2865.html http://www.rsasecurity.com/ (limited documentation here, it's all on the install cd's) ... and of course various local manpages. A quick note on security... RADIUS is not the most secure protocol out there. As a matter a fact data is hidden via a md5 hash. (more details: http://www.faqs.org/rfcs/rfc2865.html ). But our feeling was since it's SecurID and the generated passcode is only used one time, the risk is acceptable/minimal! (better then a lame password any day ;-) HTH -jw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [pki-team] FreeBSD and RSA SecurID Authentication (fwd)
On Thu, 10 Mar 2005 12:14:52 -0800, Mike Helm [EMAIL PROTECTED] wrote: John Webster forwards: 'shared secret'. (PAM module uses /etc/radius.conf for 'shared secret', servername, etc) 5 - Configure PAM/sshd (or whatever PAM aware services) to require RADIUS authentication 6 - Configure your local users. (local username must be there SecurID username) have you given any thought to interoperation with an environment where local name cannot = securid username ? Not really, but my guess is that you would need to add another piece to the puzzle. Possibly LDAP? I researched using LDAP very briefly ( i.e. LDAP PAM Mod - Central LDAP - RADIUS - RSA ACE ) with hopes of leveraging additional LDAP functionality. Could be possible to store the SecurID username within a user's LDAP entry? Just a thought... We have, but we haven't figured out what (or which) is the satisfactory solution(s). Or done enough work yet either, for that matter. good luck. - jw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: RSA SecurID
Yes. Starting with just login authentication, then eventually, if I can figure out how, for web page authentication. I saw that RSA has an addon for Apache, but you have to buy their $5000 server to support it. But logins are the first priority. Thanks, --Brian are you looking to use the fob's (lcd number generator) for login authentication? Hi all. I've searched in the archives and found nothing on this newer then 2001...so any help would be appreciated. I'm looking to find a way to support RSA's SecurIDs on FreeBSD. There was something mentioned back in March of 2001 on the topic, but that's all I could find. Could someone please tell me if this is possible, and if it is, where to look for more info? Thanks, --Brian McCann Do a google search for pam_securid. It's a pam module which allows you to use the secureid fob for login. -- dax To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RSA SecurID
Hi all. I've searched in the archives and found nothing on this newer then 2001...so any help would be appreciated. I'm looking to find a way to support RSA's SecurIDs on FreeBSD. There was something mentioned back in March of 2001 on the topic, but that's all I could find. Could someone please tell me if this is possible, and if it is, where to look for more info? Thanks, --Brian McCann To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: RSA SecurID
I would think its possible as we just use hyperterminal to login to our RSA server at work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian McCann Sent: Thursday, January 16, 2003 7:52 PM To: [EMAIL PROTECTED] Subject: RSA SecurID Hi all. I've searched in the archives and found nothing on this newer then 2001...so any help would be appreciated. I'm looking to find a way to support RSA's SecurIDs on FreeBSD. There was something mentioned back in March of 2001 on the topic, but that's all I could find. Could someone please tell me if this is possible, and if it is, where to look for more info? Thanks, --Brian McCann To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: RSA SecurID
Yes. Starting with just login authentication, then eventually, if I can figure out how, for web page authentication. I saw that RSA has an addon for Apache, but you have to buy their $5000 server to support it. But logins are the first priority. Thanks, --Brian -Original Message- From: Dax Eckenberg [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 16, 2003 11:55 PM To: Brian McCann Subject: Re: RSA SecurID are you looking to use the fob's (lcd number generator) for login authentication? - Original Message - From: Brian McCann [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 16, 2003 5:51 PM Subject: RSA SecurID Hi all. I've searched in the archives and found nothing on this newer then 2001...so any help would be appreciated. I'm looking to find a way to support RSA's SecurIDs on FreeBSD. There was something mentioned back in March of 2001 on the topic, but that's all I could find. Could someone please tell me if this is possible, and if it is, where to look for more info? Thanks, --Brian McCann To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
