Hello all,
I looked long and hard for SecurID support for OpenSSH and I have not found
it. So, I spent a few hours today and added SecurID authentication support
into OpenSSH. Specifically the 2.2.0p1 portability release. I have beat on
it for several hours and it seems to work just fine.
I don't know if anyone would find these patches useful or not... I also
don't
know if the maintainers would like to integrate them into the source tree as
they depend directly on a closed source library from RSA. (though only if you
enable support for it :)
I would like to hear the opinions of the maintainers/authors and the public
before I pollute the list with this patch.
I patched up the source tree so that if the SecurID headers are in your
include path already and you copy the sdiclient.a file into the openssh base
directory, all you have to do then is add --with-securid and it should compile
right in.
It works similarly to the Skey code (except less complicated) and it hooks in
the beginning of the PAM and passwd authentication methods. It checks to see
if a user's shell ends with "sdhell" and if it does it attempts to
do SecurID
authentication.
There is absolutely no documentation yet, but it can handle the "Please
enter
next token" exception using the send_debug_packet on the server side.
So if your login attempts are failing, you can run ssh -v [args] and it will
tell you "failed" or "please enter next token". Cute and
required no
modification on the client side :)
For those who don't know, SecurID can ask you to enter the next code on your
token if you have several failed login attempts (so you'll have to enter two
passwords to log in). It does this to handle drift and prevent guessing (I
think).
Without integrated SecurID support, tools like scp and rsync (and anything
else over ssh) can be excruciatingly painful if not impossible.
What do you think?
--
Theo Schlossnagle
1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7