1 | Notes on the integration of SecurID into ssh |
---|
2 | |
---|
3 | To enable ssh to allow users to authenticate themselves using SecurID |
---|
4 | cards, you have to come up with some mechanism to determine which users |
---|
5 | have such cards and which don't. The mechanism I have adopted is a |
---|
6 | simple one: a file /etc/securid.users that lists all the users with |
---|
7 | cards, one on each line. |
---|
8 | |
---|
9 | To run sshd with support for SecurID cards, you first of all need |
---|
10 | to have Security Dynamics' server software installed on the system |
---|
11 | (quelle surprise). To compile it you will also need the Security |
---|
12 | Dynamics authentication API, which consists of several .h files and the |
---|
13 | sdiclient.a library. When you run configure, you must then use the |
---|
14 | option --with-securid=/your/ace/dir, which will set all the appropriate |
---|
15 | flags in the Makefile. |
---|
16 | |
---|
17 | When all of this has been compiled and installed and a SecurID user |
---|
18 | signs in, they should request password authentication, not RSA. They |
---|
19 | will be given the Password: prompt like everyone else, however their |
---|
20 | response will be sent to the SecurID server, rather than being checked |
---|
21 | locally against the password file. It would be nice if we could change |
---|
22 | the prompt, but this would involve changing the dialog between the |
---|
23 | server and the client (since it the server that knows the user's |
---|
24 | authentication protocol, but the client which does the prompt). Maybe |
---|
25 | next time. |
---|
26 | |
---|
27 | A more significant issue is the /etc/securid.users file. Security |
---|
28 | Dynamics has its own approach to this issue, which is very different and |
---|
29 | incompatible with this one. Security Dynamics distributes a replacement |
---|
30 | for the user's login shell called sdshell, which simply prompts for |
---|
31 | the user's pass code, and then invokes the user's real shell, which is |
---|
32 | stored elsewhere. They also distribute an ftpd, which relies on the user |
---|
33 | having sdshell as their login shell to determine which users are SecurID |
---|
34 | users. |
---|
35 | |
---|
36 | I have philosophical problems with this approach (I don't think it is |
---|
37 | the business of the user's shell to perform the authenticationn check, |
---|
38 | that should be done by /bin/login instead). But that's not the reason I |
---|
39 | chose a different approach here. I tried to make it work with sdshell |
---|
40 | as the login shell, and it just has one big problem. Everything is |
---|
41 | fine for non-interactive sessions, the user gets prompted, enters his |
---|
42 | passcode and everything goes. But in an interactive session, the user |
---|
43 | connects, is prompted for his password, enters his passcode, and only |
---|
44 | then does ssh tell sshd that this is an interactive session! So sshd |
---|
45 | starts up the user's shell, i.e. sdshell, which promptly demands the |
---|
46 | user's passcode all over again! And what is really a nuisance is that |
---|
47 | Security Dynamics of course won't let you use the same passcode twice |
---|
48 | (for obvious reasons), so you have to wait for the next code to come up |
---|
49 | on the card, i.e. up to sixty seconds, before you can finish signing on! |
---|
50 | And I can see no way to avoid the double prompt. |
---|
51 | |
---|
52 | So that's why /etc/securid.users. Unfortunately, this means that you |
---|
53 | can either use ssh, scp and slogin with SecurID support, or you can |
---|
54 | use Security Dynamics' sdshell and ftpd. Not both (unless you are |
---|
55 | prepared to live with the double passcode prompt). |
---|
56 | |
---|
57 | One last issue and I'm done. This implementation handles only the two |
---|
58 | return codes ACM_OK and ACM_ACCESS_DENIED. It does not attempt to handle |
---|
59 | any of the other codes that can arise such as ACM_NEW_PIN_REQUIRED, |
---|
60 | ACM_NEXT_CODE_REQUIRED and so on. Again, this would involve significant |
---|
61 | changes to the ssh client/server dialog. |
---|
62 | |
---|
63 | If you have any comments about this implementation, or better yet, would |
---|
64 | like to contribute to it(!), please feel free to send me some e-mail at |
---|
65 | dmckilli@qc.bell.ca. |
---|
66 | |
---|
67 | Regards, |
---|
68 | -------------------------------------------------------------------- |
---|
69 | Donald McKillican Tel: (514) 870-3905 |
---|
70 | Bell Canada Corporate Security E-Mail: dmckilli@QC.Bell.CA |
---|
71 | Montreal, Canada WWW: http://libertel.montreal.qc.ca/~dmckilli/ |
---|