Hi there, have you ever thought of using the Aladdin eTokenNG OTP instead of secureID? It works fine with PAM and you will get no problems authenticating.
Regards Cornelius Chris Macneill wrote: > Asif's advice to use RADIUS is OK in theory; however SecurID sometimes > doesn't work too well with RADIUS. It entirely depends on the RADIUS Client > implementation. > > I have never tried RADIUS and SecurID with OpenSSH, so I don't know how well > it works in practice. I'm just issuing a word of caution. > > The problem stems from the fact that the SecurID ACE/Server doesn't just > send a binary response of authentication accepted or denied; it can have two > intermediate states, New PIN Mode and Next Tokencode Mode, which require the > RADIUS Server and Client to go through a specialised exchange of prompts and > responses. It was just these extended prompts and responses that gave me the > most headaches when integrating the SecurID API directly with OpenSSH and > getting it to work in Privilege Separation mode. > > For the most part RADIUS servers and certainly the one embedded in > ACE/Server function well these days. However, just last week I was using > Cisco's latest VPN Client v4.7 with RADIUS and SecurID, the Next Tokencode > mode interface is OK, but the New PIN mode is horribly broken and instead of > prompting "Enter PASSCODE:", it seems to be hard coded to prompt "Enter > Password:". The correct prompt is supplied by the ACE/Server RADIUS Server > when the authentication channel is established; it seems Cisco are just > ignoring it. > > I'm not saying RADIUS won't work in this scenario, but just be sure to test > the interface fully and be happy that it delivers what you want, not just a > kludgy interface that may cause confusion to users. > > In my experience many people have cut corners when implementing SecurID and > not bothered to properly handle New Pin and Next Tokencode modes, most have > regretted it and had to re-engineer the solution later. It's not a major > problem when you have a small user base, but when you get into the realms of > hundreds of users, the support overhead of having to reset PINs and Tokens > on behalf of users, instead of them being able to handle it interactively > with the interface, can become significant. > > > Chris Macneill > -----Original Message----- > From: Asif Iqbal [mailto:[EMAIL PROTECTED] > Sent: 01 February 2006 15:10 > To: [email protected] > Subject: Re: SecureID Question > > 1. Download and compile latest OpenSSH w/ PAM on your host. > 2. Start the radius daemon on your SecurID server. > 3. Compile radius auth pam library on your host from the source code found > in freeradius website > 4. Choose a radius key for the host and place it in /etc/raddb/server page > with the IP of the SecurID server > 5. Add the host using ACE Client and place the same radius key there > 6. Set UsePAM to yes on your host's sshd_config file. Privilege Separation > should work just fine > 7. Send a HUP--no need to kill and restart--to your parent ssd process > if you already have the pam enabled sshd running. Otherwise start the > just compiled one. If you do not want to kill your existing sshd yet > just do make (and make install yet) and run the newly compiled sshd on a > different (not port 22) port. > > Now you can ssh (on that non-default port may be) to your host using > securid. It is using the radius port > on the securid server to authenticate against the securid database. > > Thanks > > > On Thu, Jan 19, 2006 at 10:17:34AM, Steve Calderoni wrote: > >>Hello all, >> >>I have openssh installed and am having a small problem that I hoping >>someone will be able to help with. >> >>When I log into my openssh server I then try to ssh to a server from there > > >>that uses SecureID. The session connects then the banner text appears and >>from there it should display the PASSCODE: prompt but never makes it. >>Directly from the server I can log in just fine. It just does not work > > from > >>within a session. >> >>If anyone has any ideas that may help I would appriciate it! >> >>Thanks, >> >>Steve >> >>_________________________________________________________________ >>Don?t just search. Find. Check out the new MSN Search! >>http://search.msn.click-url.com/go/onm00200636ave/direct/01/ >> > >
smime.p7s
Description: S/MIME Cryptographic Signature
