I've been through the archive, and not found anything conclusive, except for a problem report of sorts from Theo E. Schlossnag (who has a set of patches for SecurID integration). I'm about to replace some ssh 1.2.26 (I know!) installations with OpenSSH 2.5.1p2, on Solaris 2.6 sparc boxes, and we use SecurID tokens for these boxes. I've compiled up OpenSSH 2.5.1p2 with --with-pam, and thrown pam-radius 1.3.11 into a package, and I think it'll work, but I can't test on the boxes that need the tokens without jumping through a lot of firewall admin hoops. Can anyone tell me if it will work? The SecurID server is a radius daemon, we have a lot of ssh v1 stuff still (I'm getting rid of it slowly, but can't do it all at once), has anyone got this working at all? Theo's comments in Jan have me worried, and if I lock myself out of these boxes, it's a flight interstate with a boot up my backside to fix it! So, before I go to the trouble of setting up VPN's etc to this server, can anyone tell me if they have it working? Or, what's the status with Theo's patches? Thanks Carl
On Tue, 6 Mar 2001 carl at bl.echidna.id.au wrote:> > I've been through the archive, and not found anything > conclusive, except for a problem report of sorts from > Theo E. Schlossnag (who has a set of patches for SecurID > integration). > > I'm about to replace some ssh 1.2.26 (I know!) installations > with OpenSSH 2.5.1p2, on Solaris 2.6 sparc boxes, and > we use SecurID tokens for these boxes. > > I've compiled up OpenSSH 2.5.1p2 with --with-pam, and > thrown pam-radius 1.3.11 into a package, and I think it'll > work, but I can't test on the boxes that need the tokens > without jumping through a lot of firewall admin hoops.If you limit yourself to SSH protocol 2, using ChallengeResponseAuthentication, then just about any PAM module should work. Not that I have tried them all :) If you are concerned about locking yourself out of a box, you can always run OpenSSH on a high numbered port (2222 is a favourite) while testing. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer