OpenSSH-2.2.0p1 + SecurID.

Theo E. Schlossnagle theos at cnds.jhu.edu
Fri Sep 22 15:34:25 EST 2000


carl at bl.echidna.id.au wrote:
> If you're running RMS/Loonicks or Solaris, you can use SecurID with
> PAM (which is the whole point of PAM).  It'd be really nice to get PAM
> support in some of the other UNIX's.

Acutally, I had a lot of trouble with SecurID and PAM.  It worked great on the
console and for anything with freeform tty-style log ins, but for SecurID it
didn't work the way I needed.

The problem is that after the user enters the correct PIN, sometimes the
ACE/Server will request that the user enter the next token code.  The hooks in
PAM are there to do this (and much more), but I didn't see the that ssh could
utilize this.

The patch I wrote will account for this most common case.

As ssh/sshd (OpenSSH) gives you three chances to type in the right password by
default, I can actually do the assigning of a PIN as well.
The first pass is the token code, the second is the PIN and the third is the
confirmation of the PIN.  I think I will work on that next.

It was of vital importance to NOT change the client as we have a lot of people
here that use Windows clients and Java clients.

Did I miss something in the auth-pam that would allow for this complicated
interaction?

--
Theo Schlossnagle
1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E  2DC2 72C2 AD05 A8EB CF8F
2047R/33131B65/71 F7 95 64 49 76 5D BA  3D 90 B9 9F BE 27 24 E7





More information about the openssh-unix-dev mailing list