This side describes how to integrate RSA-SecurID-authentication to openSSH, using the Patch from Theo Schlossnagle. There are basically two ways for integrating openSSH with SecurID-Authentication:
- Using PAM. A list with available modules can be found at http://www.kernel.org/pub/linux/libs/pam/modules.html. Some of the PAM Modules mentioned are not specifically tailored for RSA-SecurID, others are only "claimed" to exist by their creators, but no sources or binaries are available. An instruction on how to integrate Linux_PAM with SecurID together with a suitable PAM-Module and all sources can be found at http://www.magicality.org/source/pam_securid/. Maybe because of my lack of knowledge or maybe because of the lack of proper documentation on this PAM-Module I never got it working. So, I would strongly recommend the Schlossnagle-Patch.
- Using the Schlossnagle-Patch.This patch integrates SecurID authentication services directly into the OpenSSH? daemon. Requirements are:
- working RSA SecurID ACE-Server & Token(s) assigned to account(s) which you are going to use with SecurID authentication
- valid ACE-Client and the above mentioned accounts / usernames properly activated on the client. The linux ACE-Client is distributed with the file linux.tar. For installation
1. download the Linux-client files from RSA
http://rsasecurity.com/download/linux/
Or
wget ftp://ftp.rsasecurity.com/pub/agents/linux.tar
and unpack them
tar -xf linux.tar
2. execute the install-script ./sdinstall -client and choose some path for installation [i.e. /var/ace]
- an sdconf.rec file (contains data about master- & slave-server)
3. cp sdconf.rec /var/ace
- (/var/ace/securid keyfile This file is neede for proper communication between the ACE-Server and the client. However it is only there if the so called Node-Secret has already been sent form the Server to the Client.
To patch and compile openSSH with the Theo's patch you can either install the appropriate openSSH-sources from your Linux distribution CD or get a source-rpm for your system at http://www.rpmfind.net. !I would uninstall every previous (open)ssh sources or binaries at this point to avoid any further confusion!
- 5. Then copy the patch (the version numbers of your sources and the patch must match) into your openSSH-source directory and apply it:
/usr/bin/patch < openssh-3.4p1+SecurID_v2.patch
6. Copy the sdiclient.a and the sdi-headers from the /var/ace/examples directory into your openSSH Source directory. That way you won't have to tell ./configure where to find the include files.
Although it is very tantalizing and seems reasonable to use the headers and libs from the /ACEAgentSDK/inc/ and /mnt/cdrom/ACEAgentSDK/lib/lnx/ directory of the RSA ACE Server CD I would NOT recommend doing this. Please use the files from the /examples directory as described above.
- 7. Run ./configure --with-securid
8. Run make and make install It is possible however that the sshd, the configfiles and alle the other stuff is not at the place you are used to have it. I.e. SuSE-Linux usually is using the /etc/ssh directory whereas now it is at /usr/local/etc.
After installation there are several new options for the sshd_config-file available: NegateSecurIDUsers,
SecurIDFallBack, SecurIDAuthentication, SecurIDIgnoreShell, SecurIDUsersFile, AllowNonSecurID. There are numerous configurations possible. You even can mix different users (NIS, SecurID, Unix). Basically it works that way:
Using the SecurIDUsersFile option you specify a file with users (one per line) who are required to login via SecurID. Create that file and add users. These users MUST exist in /etc/passwd or NIS, but MUST NOT have the clumsy sdshell as their loginshell. From now on the specified users will need to authenticate with their SecurID Token at the time they log on.
Login from a Windows Tera Term client (with ssh-extension ttssh).
I personally like to be able to mix SecurID users and normal system users. This is done with the AllowNonSecurID option. Simply copy this somewhere into your sshd_config file
| SecurIDAuthentication | yes |
| SecurIDUsersFile | /usr/local/etc/securid_users |
| AllowNonSecurID | yes |
PrObLeMs which can occur: The ACE-Server might request the next PASSCODE or next TOKENCODE when a wrong Passcode was entered more than five times. The next Tokencode is not supported yet which is mainly due to the ssh- client, not to the patch. If you are using a Unix ssh-client you can see that when using the -v option (ssh -v user@some.host) on the client side.
I have placed two prepatched and compiled openSSH versions for SuSE Linux 8.1 on my anonymous ftp-server (ftp://joerg.cc/pub). To use those you simply need to do a make install. However, the chances that they fit exactly your system or any other system are not to high, since i.e. the openssl version needs to be the same as the version the sshd was compiled against.
? Why isn't there a precompiled (open)SSH binary or packet, why do I need to do all this ?
It is because of a little something called proprietary software license. No part of the RSA (Client)Software comes with the GNU or Berkely license. Binaries and packages would have sdiclient.a from the /var/ace/examples directory linked in, so it is not quite legal adding them to "commercial" distributions although you only can use it together with an RSA ACE-Server you previously bought from RSA.
If you have any questions I would like to hear from you:
<fritsch@joerg.cc>,
or just click here and commentMySecurID-page !
![[Home]](/wikibilder/jss.gif)
MySecurID-page