how to compile ssh with Pam using securid

Scott Burch scott.burch at camberwind.com
Tue Sep 9 07:12:43 EST 2003 

Udi,

Do you have privsep disabled? The RSA pam module for SecurID
authentication does not work with privsep enabled. If you want to use
privsep and still do your securid authentication then I strongly
recommend you use Vaclav's patch:

http://sweb.cz/v_t_m/

This is by far the most functional implementation of SecurID
authentication for OpenSSH and it works great.

-Scott


On Mon, 2003-09-08 at 10:34, Gamliel, Udi (NIH/CIT) wrote:
>  Hello 
>  I complied openssh-3.6.1p2 like this "./configure --with-pam" and I did
> configure
>  /etc/pam.conf as follows
>  	# PAM configuration
>  	#
>  	# Authentication management
>  	#
>  	sshd    auth required   /lib/security/pam_securid.so reserve
>  	sftp    auth required   /lib/security/pam_securid.so reserve
>  	#
>  	login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
>  	login   auth required   /usr/lib/security/$ISA/pam_dial_auth.so.1
> 
>  where "/lib/security/pam_securid.so" is an RSA security lib"
>  I have no error when I compile the openssh but I do have problem when I use
>  openssh with RSA security library.
>  when I type the command "ssh machine_name.xxx.xxx.xxx" and  watching
>  securid log monitor. I see on securid log monitor before I get the prompt
> to enter my PASSCODE
> 
>  "ACCESS DENIED, syntax error"
> 
>  then I get the prompt
>  "ENTER PASSCODE "
>  when I put my passcode and allows me to get in (login successfully)
>  (but when I ssh  several times and because of ACCESS DENIED message, the
>  securid locks me and disable my token).
> 
> 
>  One may think the RSA security library is the problem BUT
>  when I use the below compiled package
>  openssh-3.6.1p1-sol8-sparc-local (size 623506)
>  openssl-0.9.7b-sol8-sparc-local (size 3553460)
>  everything works just fine no problem at all. But now you will ask me why
>  don't you use it ?
>  well, I have to know how to compile ssh like the one I downloaded from the
> internet
> in case when there is a vulnerability we easily can go to another version of
> ssh.
> 
>   I hope I gave you enough info
>  one more detail
>  when I compile openssh ./configure --with-pam
>  at the END I get the message
>  =======================================================================
>                Random number source: OpenSSL internal ONLY
> 
>                Host: sparc-sun-solaris2.8
>            Compiler: gcc
>      Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
>  Preprocessor flags: -I/usr/local/ssl/include  -I/usr/local/include
>        Linker flags: -L/usr/local/ssl/lib -R/usr/local/ssl/lib
>  -L/usr/local/lib -R/usr/local/lib
>           Libraries:  -lpam -ldl -lrt -lz -lsocket -lnsl -lcrypto
> 
>  PAM is enabled. You may need to install a PAM control file
>  for sshd, otherwise password authentication may fail.
>  Example PAM control files can be found in the contrib/
>  subdirectory
> 
> ============================================================================
>  I am not sure if I have to edit the files in
>  /contrib/sshd.pam.freebsd
>  /contrib/sshd.pam.generic
>  before I compile the new ssh and put the RSA securid library in
> /etc/pam.conf  as follows
> 
>  sshd auth required /lib/security/pam_securid.so reserve
> 
>   thank you very much again
>  Udi
>  301-435-1968
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Scott Burch <scott.burch at camberwind.com>

More information about the openssh-unix-dev mailing list