RE: ssh authentication with RSA SECURID

Brian,

I used to work for RSA and am now an independent consultant with some 10 years experience of RSA ACE/Server. I have also implemented a couple of SecurID integrations with SSH for US based customers.

When RSA ACE/Agent is implemented on most UNIX systems you replace the user's login shell in /etc/passwd with the path to 'sdshell'. In AIX there is a feature built into 'login' which allows Third Party authentication systems to integrate directly. As many applications check UNIX static passwords directly with the user's entry in /etc/passwd or /etc/shadow they bypass any additional features of 'login'. SSHD can be configured either to check UNIX passwords directly hence bypassing SecurID or to call 'login' and allow it to authenticate the user fully.

To resolve your problem you need to do one of three things, I've listed them in order of ease of implementation:-

1. This method allows the user to have a SecurID PASSCODE only or both UNIX Password and SecurID PASSCODE. In sshd-config set UseLogin to 'yes'.
2. This method requires the user to use a UNIX Password AND SecurID PASSCODE. If you set a NULL UNIX Password then users will be able to login to any application that checks the encrypted password directly, e.g. FTP, SFTP, without any authentication! For each user set the Primary authentication method to Password and the Secondary Method to None. Modify each user's default shell to be the path to 'sdshell'. The users "real" default shell is defined in the ACE/Server database.
3. Integrate the ACE/Agent APIs directly with the SSH source code. I have done this for a couple of customers and currently have SSH v3.2.5 with v3.4 patches for memory leaks working OK. I am just waiting for final sign off on a project to implement ACE/Agent into SSH v3.5. However, the privilege separation features in the newer SSH versions are proving a bit of a headache at the moment. Unfortunately Privilege Separation is not very well documented and it's not easy to work it out directly from the source code. It would be nice if someone with intimate knowledge of this feature could write a simple White Paper on how to add a new command into the Privilege Separation model.

Option 2 is only useful for SSH. SCP and SFTP do not use a shell and consequently won't be SecurID authenticated.

Options 1 & 2 only work satisfactorily for a command line connection to SSH, SCP & SFTP. If you want to use a GUI based SSH or SFTP Client, then this will probably require integration of the ACE/Agent APIs. Support for GUI based clients needs to be implemented using the Keyboard-Interactive method and this bypasses the UseLogin method. You can use the basic Password authentication method with GUI based clients and enter the SecurID PASSCODE at the password prompt, but this method does not know about the intermediate modes of the SecurID Token, "New PIN" and "Next TokenCode". Consequently the Password method is pretty brain dead for SecurID Tokens and not recommended for the average user population. Each GUI based client needs to be integrated and tested separately as each vendor detects and presents prompts slightly differently. I have already integrated SecureCRT v4.0 and SecureFX v2.1 from VanDyke.

There are a couple of RSA ACE/Agent integrations with SSH kicking around in the Public Domain, but as far as I can tell they are all command line based and do not implement either Keyboard-Interactive method or Privilege Separation.

The work I have done on ACE/Agent integration with SSH has been through RSA Security for a US based End User. Consequently RSA own the IPR, I have tried to persuade RSA to allow the code to be put in the Public Domain, but so far have made little progress. If anyone out there wants access to this code I suggest you contact RSA and bring pressure to bear. Unfortunately my lone voice doesn't get heard by anyone with sufficient authority to make this happen.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Regards

Chris Macneill

-----Original Message-----
From: brian.becker@CenterPointEnergy.com [mailto:brian.becker@CenterPointEnergy.com] Sent: 30 January 2003 20:28
To: secureshell@securityfocus.com
Subject: ssh authentication with RSA SECURID

Here is my configuration. IBM 150 server running AIX 4.3.3 with RSA/AGENT installed. Windows 2k PC with RSA server installed.

When logging into the IBM 150 using telnet the authentication from RSA works perfect. Management wants ssh used instead of telnet. ssh was installed.

The problem is when I log into the 150 using ssh the ace authentication is bypassed and I'm able to log into the 150 just using the username/passwd.

Is there something that needs definition in sshd_config that I'm missing.

Any help would be appreciated

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Thanks