how to compile ssh with Pam using securid

Gamliel, Udi (NIH/CIT) GamlielU at exchange.nih.gov
Tue Sep 9 01:22:51 EST 2003 



> Hello 
> I complied openssh like this "./configure --with-pam" and I did configure
> /etc/pam.conf as follows
> 	# PAM configuration
> 	#
> 	# Authentication management
> 	#
> 	sshd    auth required   /lib/security/pam_securid.so reserve
> 	sftp    auth required   /lib/security/pam_securid.so reserve
> 	#
> 	login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
> 	login   auth required   /usr/lib/security/$ISA/pam_dial_auth.so.1
>
> where "/lib/security/pam_securid.so" is an RSA security lib"
> I have no error when I compile the openssh but I do have problem when I
use
> openssh with RSA security library.
> when I type the command "ssh machine_name.xxx.xxx.xxx" while watching
> securid log monitor
> so before I get the prompt to enter my PASSCODE I see on the log monitor
> "ACCESS DENIED, syntax error"
> then I get the prompt
> "ENTER PASSCODE "
> when I put my passcode and allows me to get in (login successfully)
> (but when I ssh  several times and because of ACCESS DENIED message, the
> securid
> lock me and disable my token).
>
>
> One may think the RSA security library is the problem BUT
> when I use the below compiled package
> openssh-3.6.1p1-sol8-sparc-local (size 623506)
> openssl-0.9.7b-sol8-sparc-local (size 3553460)
> everything works just fine no problem at all. But now you will ask me why
> don't you use it ?
> well, I have to know how to compile ssh in case when there is a
> vulnerability we easily can go to another
> version of ssh.
>
>  I hope I gave you enough info
> one more detail
> when I compile openssh ./configure --with-pam
> at the END I get the message
> =======================================================================
>               Random number source: OpenSSL internal ONLY
>
>               Host: sparc-sun-solaris2.8
>           Compiler: gcc
>     Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
> Preprocessor flags: -I/usr/local/ssl/include  -I/usr/local/include
>       Linker flags: -L/usr/local/ssl/lib -R/usr/local/ssl/lib
> -L/usr/local/lib -R/usr/local/lib
>          Libraries:  -lpam -ldl -lrt -lz -lsocket -lnsl -lcrypto
>
> PAM is enabled. You may need to install a PAM control file
> for sshd, otherwise password authentication may fail.
> Example PAM control files can be found in the contrib/
> subdirectory
>
============================================================================
> I am not sure if I have to edit the files in
> /contrib/sshd.pam.freebsd
> /contrib/sshd.pam.generic
> before I compile the new ssh and put the RSA securid lib as follows
> sshd auth required /lib/security/pam_securid.so reserve
>
>  thank you very much again
> Udi
> 301-435-1968
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org]
> Sent: Friday, September 05, 2003 2:37 PM
> To: Gamliel, Udi (NIH/CIT)
> Cc: 'openssh-unix-dev at mindrot.org'; 'Udi (E-mail)'
> Subject: Re: how to compile ssh with pam
>
>
>
> ./configure --with-pam
>
> is all you need to do to compile in PAM support.. you may need a
> /etc/pam.conf file depending on your platform.  look on contrib/ directory
> for examples.
>
> - Ben
>
> On Fri, 5 Sep 2003, Gamliel, Udi (NIH/CIT) wrote:
>
> >
> >
> >
> > Hello
> >
> > I am compiled openssh3.6.1p2 with PAM and using RSA Security (ACE)
token.
> >
> > the command I used to compile ssh as follow:
> >
> > 1. ./configure --with-pam
> >
> > 2. make
> >
> > 3. make install
> >
> > After starting  the sshd daemon, I  authenticate using the command
> >
> > "ssh xxx.yyy.nih.gov"
> >
> > On the SecurID server I was watching the log monitor and I saw the
> following
> > errors :
> >
> > "ACCESS DENIED, syntax error" before I get the prompt for Passcode
> >
> > and when I put my passcode, it let me login. Doing that for several time
> >
> > SecurID puts me in the "next token code" and then disable my token.
> >
> > I called RSA security and we found out that the problem was in the
> openssh.
> >
> > when RSA sent me a compiled openssh that can be found on the internet,
> then
> >
> > everything worked just fine with no errors.
> >
> > The fact is that we can not depend on finding a compiled openssh with
PAM
> on
> > the
> >
> > internet, so I compiled my own version with Pam
> >
> > but Of course I am sure I am missing some compilation switches and
> options.
> >
> > SO my question to you is :
> >
> > How do I compile an openssh that works with PAM on Unix or Linux.
> >
> > Than you very much
> >
> > Udi Gamliel
> >
> > 301-435-1968
> >
> >
> >
> >
> >
> > Udi Gamliel
> >
> > DNST/EOS
> >
> > Tel - 301-435-1968
> >
> > 10401 Fernwood 20814
> >
> >
> >
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>

More information about the openssh-unix-dev mailing list