RE: OpenSSH + RADIUS/RSA SecurID

Jeremy,

I used to work for RSA Security and have recently been doing some consultancy work for them to integrate SecurID and ACE/Server into OpenSSH. I completed the work a few weeks ago on OpenSSH v3.5 and there is due to be a follow on contract to redo the work in OpenSSH v3.6.1.

I am trying to persuade RSA Security to allow the code to be put into the Public Domain and if I may I will pass your details on to my contact at RSA. We need all the help we can get to persuade the powers that be at RSA to release the code.

As another reply suggests, there have to my knowledge been at least three other attempts, besides mine, to integrate SecurID with OpenSSH. However, none of the other solutions appear to solve the problems 100%, some provide only minimal integration, some do not support Privilege Separation, mine of course does support all modes of the SecurID Token and integrates with popular Windows based SSH Clients such as F-Secure, SecureCRT and SecureFX. :-)

If you want to run your OpenSSH on Linux and authenticate to ACE/Server on one of their supported platforms, that's OK. ACE/Agent API libraries exist for Linux.

Another alternative is to use PAM, RSA Security have just released PAM modules for Solaris and Linux. However, I don't know how well these will integrate with OpenSSH, no one has tried yet. I preferred a generic approach; the code I have integrated with OpenSSH will work with any platform for which ACE/Agent API libraries are available.

Regards,

Chris Macneill
Educated Guesswork Ltd.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----
From: Jeremy Campbell [mailto:jrcampbell@southbank.com] Sent: 18 April 2003 21:37
To: 'secureshell@securityfocus.com'
Subject: OpenSSH + RADIUS/RSA SecurID

My ultimate goal is to have SSH connections (to be used for tunneling into our network) be validated off our RSA ACE/Server. Does anyone have experience in doing this?

I see two different routes:

Either make OpenSSH SecurID aware and authenticate against the ACE/Server, or
Make OpenSSH RADIUS aware and authenticate vs. the ACE/Server RADIUS server.

Making OpenSSH RADIUS aware seems like it would be the most supported step. Is anyone aware of documentation on making this happen?

Any suggestions would be much appreciated. I'm running FreeBSD, by the way, so whether or not I could run the Linux ACE/Host software is unknown to me...

Thanks,
Jeremy Campbell

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.470 / Virus Database: 268 - Release Date: 08/04/2003