Steve, On the target server that is running SecurID ACE/Agent, do you have "UseLogin" set to yes or no in sshd_config? You need to have the target system use Login from the operating system, not the inbuilt login code within SSHD. You then replace the users' default shell in /etc/passwd with the path to sdshell as per normal. I can't remember, but this method may only work with "PrivilegeSeparation" set to no. This is because sdshell needs to run as "root". This is a major issue as you are then removing many of the security enhancements made to OpenSSH over the last few years.
Try setting "UseLogin" to yes and test, if it doesn't work then set "PrivilegeSeparation" to no, remember to kill and restart SSHD each time you modify sshd_config. Alternatively depending on the operating system on the target system and the age of the ACE/Agent code you may be able to use PAM. RSA put PAM support into some of their "supported" ACE/Agents, e.g. Sun Solaris, HP-UX, Linux Redhat. I used to work for RSA Security and built most of their "unsupported" Linux and BSD Agents for them, as well as some more exotic versions of UNIX. The Agents I built had no support for PAM so will only work if integrated with OpenSSH or the native Login is used. I did some work to integrate SecurID with OpenSSH for a couple of specific customers, but despite several attempts I could never persuade RSA to allow me to put the code into the Public Domain. There are some published patches to integrate SecurID with OpenSSH; however these were done back in the days of v2 before the enhancements were made to isolate the daemon code run as "root" from the user processes. The last integration work I did was on v3.6p1 and worked properly under privilege separation. Unfortunately if you want integration work done with OpenSSH someone would either have to build it from scratch, it took me around a man month of effort the first time I did it. It would probably take less time to do it again as I'm now more familiar with the privilege separation code. Otherwise you have to go to RSA Security's Professional Services department and ask them to do the work, which they may well sub-contract to me anyway! I am bound by contract and cannot supply the code I originally wrote without RSA Security's permission. Regards, Chris Macneill -----Original Message----- From: Steve Calderoni [mailto:[EMAIL PROTECTED] Sent: 19 January 2006 17:18 To: [email protected] Subject: SecureID Question Hello all, I have openssh installed and am having a small problem that I hoping someone will be able to help with. When I log into my openssh server I then try to ssh to a server from there that uses SecureID. The session connects then the banner text appears and from there it should display the PASSCODE: prompt but never makes it. Directly from the server I can log in just fine. It just does not work from within a session. If anyone has any ideas that may help I would appriciate it! Thanks, Steve _________________________________________________________________ Don’t just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.375 / Virus Database: 267.14.21/236 - Release Date: 20/01/2006
