openssh, pam and cryptocard's cryptoadmin / easyradius

Guido Paliot guido.paliot at to.com
Tue Dec 18 20:30:22 EST 2001 

Hi,

this is merely FYI, but i would appreciate if someone had any comments 
or further information on the topic.

We were using the following setup :
cryptocard easyradius with RB-1 hardware tokens (hex or decimal display, 
synchronous (quicklog) mode)
f-secure ssh with pam radius authentication

This worked fine until we updated to openssh 2.9p2. Then all 
authentications where the response included alpha characters did not work 
anymore. That means that users whose tokens were set to hexadecimal 
display could not auhenticate, except when their hex response conatined 
numbers _only_.

We reprogrammed all tokens to decimal display and contacted cryptocard. 
You find their response forwarded.

Regards,

Guido Paliot

-- 
----------------------------------------------------------------------
Guido Paliot                                       guido.paliot at to.com
Thinking Objects                              phone: +49.711.88770.400
Lilienthalstraße 2                              fax: +49.711.88770.449
70825 Stuttgart-Korntal, Germany
----------------------------------------------------------------------

---------- Forwarded message ----------
Date: Tue, 11 Dec 2001 11:33:38 -0500
From: Felix Franceschina <Felix at cryptocard.com>
To: Guido Paliot <guido.paliot at to.com>
Subject: OpenSSH and PAM

Guido,

    Upgrading to the latest version of CRYPTOAdmin 5.16 will not help.  Here is what happens.

If the sshd pam configuration file is setup like this:
auth    sufficient    /lib/security/pam_radius_auth.so

- A normal numeric respsonse will go through.
- If an alpha numeric response is entered into the response prompt it will take it but then display a challenge and ask for the same response again.
Once the response is entered again you will be connected.

    This is not a function of the CRYPTOAdmin server or the PAM module (the same thing happens with the freeradius.org PAM RADIUS module).  The SSH server doesn't understand the alphanumeric response.  Given the complexity of SSH Clients (Windows and Linux) I suggest changing all your tokens over to numeric if you wish to use SSH.  The other daemons (login, ftp, ppp) do not have this problem. 


Felix Franceschina
Unix Technical Support
CRYPTOCard Corp.
1.800.307.7042
1.613.599.2441
felix at cryptocard.com



---------------------------------------------------------------------
To unsubscribe, e-mail: secureshell-unsubscribe at securityfocus.com
For additional commands, e-mail: secureshell-help at securityfocus.com

More information about the openssh-unix-dev mailing list