OpenSSH-2.2.0p1 + SecurID.
Theo E. Schlossnagle
theos at cnds.jhu.edu
Fri Sep 22 15:34:25 EST 2000
carl at bl.echidna.id.au wrote:
> If you're running RMS/Loonicks or Solaris, you can use SecurID with
> PAM (which is the whole point of PAM). It'd be really nice to get PAM
> support in some of the other UNIX's.
Acutally, I had a lot of trouble with SecurID and PAM. It worked great on the
console and for anything with freeform tty-style log ins, but for SecurID it
didn't work the way I needed.
The problem is that after the user enters the correct PIN, sometimes the
ACE/Server will request that the user enter the next token code. The hooks in
PAM are there to do this (and much more), but I didn't see the that ssh could
utilize this.
The patch I wrote will account for this most common case.
As ssh/sshd (OpenSSH) gives you three chances to type in the right password by
default, I can actually do the assigning of a PIN as well.
The first pass is the token code, the second is the PIN and the third is the
confirmation of the PIN. I think I will work on that next.
It was of vital importance to NOT change the client as we have a lot of people
here that use Windows clients and Java clients.
Did I miss something in the auth-pam that would allow for this complicated
interaction?
--
Theo Schlossnagle
1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
More information about the openssh-unix-dev
mailing list