source: trunk/third/ssh/README.SECURID @ 10564

Revision 10564, 3.8 KB checked in by danw, 27 years ago (diff)
This commit was generated by cvs2svn to compensate for changes in r10563, which included commits to RCS files with non-trunk default branches.
Line 
1Notes on the integration of SecurID into ssh
2
3To enable ssh to allow users to authenticate themselves using SecurID
4cards, you have to come up with some mechanism to determine which users
5have such cards and which don't. The mechanism I have adopted is a
6simple one: a file /etc/securid.users that lists all the users with
7cards, one on each line.
8
9To run sshd with support for SecurID cards, you first of all need
10to have Security Dynamics' server software installed on the system
11(quelle surprise). To compile it you will also need the Security
12Dynamics authentication API, which consists of several .h files and the
13sdiclient.a library. When you run configure, you must then use the
14option --with-securid=/your/ace/dir, which will set all the appropriate
15flags in the Makefile.
16
17When all of this has been compiled and installed and a SecurID user
18signs in, they should request password authentication, not RSA. They
19will be given the Password: prompt like everyone else, however their
20response will be sent to the SecurID server, rather than being checked
21locally against the password file. It would be nice if we could change
22the prompt, but this would involve changing the dialog between the
23server and the client (since it the server that knows the user's
24authentication protocol, but the client which does the prompt). Maybe
25next time.
26
27A more significant issue is the /etc/securid.users file. Security
28Dynamics has its own approach to this issue, which is very different and
29incompatible with this one. Security Dynamics distributes a replacement
30for the user's login shell called sdshell, which simply prompts for
31the user's pass code, and then invokes the user's real shell, which is
32stored elsewhere. They also distribute an ftpd, which relies on the user
33having sdshell as their login shell to determine which users are SecurID
34users.
35
36I have philosophical problems with this approach (I don't think it is
37the business of the user's shell to perform the authenticationn check,
38that should be done by /bin/login instead). But that's not the reason I
39chose a different approach here. I tried to make it work with sdshell
40as the login shell, and it just has one big problem. Everything is
41fine for non-interactive sessions, the user gets prompted, enters his
42passcode and everything goes. But in an interactive session, the user
43connects, is prompted for his password, enters his passcode, and only
44then does ssh tell sshd that this is an interactive session! So sshd
45starts up the user's shell, i.e. sdshell, which promptly demands the
46user's passcode all over again! And what is really a nuisance is that
47Security Dynamics of course won't let you use the same passcode twice
48(for obvious reasons), so you have to wait for the next code to come up
49on the card, i.e. up to sixty seconds, before you can finish signing on!
50And I can see no way to avoid the double prompt.
51
52So that's why /etc/securid.users.  Unfortunately, this means that you
53can either use ssh, scp and slogin with SecurID support, or you can
54use Security Dynamics' sdshell and ftpd. Not both (unless you are
55prepared to live with the double passcode prompt).
56
57One last issue and I'm done. This implementation handles only the two
58return codes ACM_OK and ACM_ACCESS_DENIED. It does not attempt to handle
59any of the other codes that can arise such as ACM_NEW_PIN_REQUIRED,
60ACM_NEXT_CODE_REQUIRED and so on. Again, this would involve significant
61changes to the ssh client/server dialog.
62
63If you have any comments about this implementation, or better yet, would
64like to contribute to it(!), please feel free to send me some e-mail at
65dmckilli@qc.bell.ca.
66
67Regards,
68--------------------------------------------------------------------
69Donald McKillican                                Tel: (514) 870-3905
70Bell Canada Corporate Security           E-Mail: dmckilli@QC.Bell.CA
71Montreal, Canada      WWW: http://libertel.montreal.qc.ca/~dmckilli/
Note: See TracBrowser for help on using the repository browser.