When comparing SSH 1.2.27 with OpenSSH 2.5.1 I see that the SecurID code/patch is not in OpenSSH 2.5.1. I'm not sure how or why that happened. Upon looking through the OpenSSH 2.5.1 source, I think I could fairly easily provide a 'SecurID Authentication Method' patch (which would rely on -DHAVE_SECURID, -I/blah/securid/include, and -L/blah/securid/lib... /blah/securid being a proprietary product from Security Dynamics) I'm not committing to anything yet, but is this something that will be welcome if I do it? ... or shall I just hack the source again to turn auth_password into something that does SecurID only for our specific needs. Seems silly.
On Mon, 19 Mar 2001, Jeff Blaine wrote:> When comparing SSH 1.2.27 with OpenSSH 2.5.1 I see that the SecurID > code/patch is not in OpenSSH 2.5.1. > > I'm not sure how or why that happened. > > Upon looking through the OpenSSH 2.5.1 source, I think I could fairly > easily provide a 'SecurID Authentication Method' patch (which would > rely on -DHAVE_SECURID, -I/blah/securid/include, and > -L/blah/securid/lib... /blah/securid being a proprietary product > from Security Dynamics) > > I'm not committing to anything yet, but is this something that will > be welcome if I do it? ... or shall I just hack the source again > to turn auth_password into something that does SecurID only for > our specific needs. Seems silly.I think there was a policy decision against n+1 _proprietary_ authentication mechanisms some time ago. Could be wrong. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
On Mon, 19 Mar 2001, Jeff Blaine wrote:> I'm not committing to anything yet, but is this something that will > be welcome if I do it? ... or shall I just hack the source again > to turn auth_password into something that does SecurID only for > our specific needs. Seems silly.I won't speak for Markus or the other OpenBSD developers, but I don't believe we should include code for proprietary authentication systems into OpenSSH. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer
Jeff; Theo Schlossnagle has a patch for securid. It works in 2.3 but I haven't had a chance to try it in 2.5. Contact: Author: Theo Schlossnagle <jesus at omniti.com> The last time we discussed this there was a "general" agreement that a patch could be added to the contrib directory. Is that still the case? Donald.Smith at qwest.com IP Engineering Security 303-226-9939/0688 Office/Fax 720-320-1537 cell> -----Original Message----- > From: Jeff Blaine [mailto:jblaine at linus.mitre.org] > Sent: Monday, March 19, 2001 2:52 PM > To: openssh-unix-dev at mindrot.org > Subject: SecurID > > > When comparing SSH 1.2.27 with OpenSSH 2.5.1 I see that the SecurID > code/patch is not in OpenSSH 2.5.1. > > I'm not sure how or why that happened. > > Upon looking through the OpenSSH 2.5.1 source, I think I could fairly > easily provide a 'SecurID Authentication Method' patch (which would > rely on -DHAVE_SECURID, -I/blah/securid/include, and > -L/blah/securid/lib... /blah/securid being a proprietary product > from Security Dynamics) > > I'm not committing to anything yet, but is this something that will > be welcome if I do it? ... or shall I just hack the source again > to turn auth_password into something that does SecurID only for > our specific needs. Seems silly. >
Read the archive :-) Will they accept the patch? The OpenSSH project has made the policy clear -- no. There is a "rogue" patch already for OpenSSH that support SecurID. It is used in production and is considered stable. http://www.omniti.com/~jesus/projects/ I have not ported the patch up to 2.5.1p1 because I have had _more_ problems with 2.5.1p1 than with 2.3.0p1. I have not been motivated to port it (should take 15 minutes and it could even "fuzzy" patch out-of-the-box). If people want this ported to 2.5.1p1, I will do it. I got a slew of email to port it to 2.3.0p1 and _not a single message_ to port it to 2.5.1p1 -- perhaps people are seeing the same problems I am. I was planning on porting on a more "stable" release than 2.5.1p1 (perhaps 2.5.2p1?) The only issue I have with the OpenSSH group not accepting the patch is that it makes it more inconvenient for other people to use it. Other than that, I could care less. Many thanks to all of the participants of the OpenSSH project. Plain and simple, this product allows me to do my job. Jeff Blaine wrote:> > When comparing SSH 1.2.27 with OpenSSH 2.5.1 I see that the SecurID > code/patch is not in OpenSSH 2.5.1. > > I'm not sure how or why that happened. > > Upon looking through the OpenSSH 2.5.1 source, I think I could fairly > easily provide a 'SecurID Authentication Method' patch (which would > rely on -DHAVE_SECURID, -I/blah/securid/include, and > -L/blah/securid/lib... /blah/securid being a proprietary product > from Security Dynamics) > > I'm not committing to anything yet, but is this something that will > be welcome if I do it? ... or shall I just hack the source again > to turn auth_password into something that does SecurID only for > our specific needs. Seems silly.-- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7