Steve,
On the target server that is running SecurID ACE/Agent, do you have
"UseLogin" set to yes or no in sshd_config? You need to have the target
system use Login from the operating system, not the inbuilt login code
within SSHD. You then replace the users' default shell in /etc/passwd with
the path to sdshell as per normal. I can't remember, but this method may
only work with "PrivilegeSeparation" set to no. This is because sdshell
needs to run as "root". This is a major issue as you are then removing many
of the security enhancements made to OpenSSH over the last few years.
Try setting "UseLogin" to yes and test, if it doesn't work then set
"PrivilegeSeparation" to no, remember to kill and restart SSHD each time you
modify sshd_config.
Alternatively depending on the operating system on the target system and the
age of the ACE/Agent code you may be able to use PAM. RSA put PAM support
into some of their "supported" ACE/Agents, e.g. Sun Solaris, HP-UX, Linux
Redhat.
I used to work for RSA Security and built most of their "unsupported" Linux
and BSD Agents for them, as well as some more exotic versions of UNIX. The
Agents I built had no support for PAM so will only work if integrated with
OpenSSH or the native Login is used.
I did some work to integrate SecurID with OpenSSH for a couple of specific
customers, but despite several attempts I could never persuade RSA to allow
me to put the code into the Public Domain.
There are some published patches to integrate SecurID with OpenSSH; however
these were done back in the days of v2 before the enhancements were made to
isolate the daemon code run as "root" from the user processes. The last
integration work I did was on v3.6p1 and worked properly under privilege
separation.
Unfortunately if you want integration work done with OpenSSH someone would
either have to build it from scratch, it took me around a man month of
effort the first time I did it. It would probably take less time to do it
again as I'm now more familiar with the privilege separation code. Otherwise
you have to go to RSA Security's Professional Services department and ask
them to do the work, which they may well sub-contract to me anyway! I am
bound by contract and cannot supply the code I originally wrote without RSA
Security's permission.
Regards,
Chris Macneill
-----Original Message-----
From: Steve Calderoni [mailto:scalderoni@msn.com]
Sent: 19 January 2006 17:18
To: secureshell@securityfocus.com
Subject: SecureID Question
Hello all,
I have openssh installed and am having a small problem that I hoping someone
will be able to help with.
When I log into my openssh server I then try to ssh to a server from there
that uses SecureID. The session connects then the banner text appears and
from there it should display the PASSCODE: prompt but never makes it.
Directly from the server I can log in just fine. It just does not work from
within a session.
If anyone has any ideas that may help I would appriciate it!
Thanks,
Steve
_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.1.375 / Virus Database: 267.14.21/236 - Release Date: 20/01/2006
