SSHD with Secured authentication, using RSA PAM client

Greetings,

Has anyone got ssh to authenticate to SecureID? We have to use the version
of sshd included with Solaris 9, 1.0.1, and we cannot get it to work. It
seems Solaris always tries to authenticate locally even after I configure
pam.conf. RSA has a "work around" but they do not support even the work
around. RSA will support OpenSSH, but not the sshd included with Solaris.

Any help would be appreciated.

_______________________________

Edward Reiss <ed.reiss@...>
Cell
631.681.7181
Landline
518.533.9764
Fax
631.881.5545
Quis custodiet ipsos custodes?

_______________________________

On 7/31/07, Edward Reiss <ed.reiss@...> wrote:
> Greetings,
>
> Has anyone got ssh to authenticate to SecureID? We have to use the version
> of sshd included with Solaris 9, 1.0.1, and we cannot get it to work. It

 - You have make sure your sshd is pam enabled.
  ldd `which sshd` should  have libpam in there.

- man sshd_config. Depending on your sshd_config file you need enable
  either one of the two `UsePAM' or `PAMAuthenticationViaKBDInt'

We enabled the radius daemon on our SecurID ACE server (RSA) and using
pam_radius (of Freeradius) instead. If you choose that path you need to
pick a radius secret key and need to add that key for your client on
ACE database.

Most of our servers using some flavor of ssh (openssh or sunssh or
ssh) and pam_radius
It basically prompts for Password: (you put your passcode here). We
also have sudo
with pam enabled. So there is no local password needed for users.

These are files I needed to modify
- /etc/raddb/server (only can access raddb dir)
- /etc/pam.conf - just two extra lines; one for sshd and one for sudo
- /etc/ssh/sshd_config OR /usr/local/etc/sshd_config

> seems Solaris always tries to authenticate locally even after I configure

It has nothing to do with Solaris. It is SSHD that you need to configure right.

> pam.conf. RSA has a "work around" but they do not support even the work
> around. RSA will support OpenSSH, but not the sshd included with Solaris.
>

The problem is not ssh difference. It is all handled by pam. Both
SunSSH and OpenSSH
knows how to communicate with PAM if they are compiled with pam library.



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu

On 7/31/07, Edward Reiss <ed.reiss@...> wrote:
> Has anyone got ssh to authenticate to SecureID? We have to use the version
> of sshd included with Solaris 9, 1.0.1, and we cannot get it to work. It
> seems Solaris always tries to authenticate locally even after I configure
> pam.conf. RSA has a "work around" but they do not support even the work
> around.

I've set up a number of machines for SecurID authentication with ssh,
but haven't tried it on any recent Solaris version.


> RSA will support OpenSSH, but not the sshd included with Solaris.

I believe you've answered your own question.

Kevin
--
Moderator, unofficial RSA ACE/Server + SecurID users group:
http://tech.groups.yahoo.com/group/securid-users/

Edward, I don't know if this helps but we've had similar problems with RSA
clients, OpenSSH servers and PAM (at least on earlier versions of OpenSSH).

If you're using the RSA SSH client and you specify "Authentication Method"
as "password" that means traditional /etc/passwd an /etc/shadow file
methods. As I recall to get PAM you need to specify "Keyboad Interactive".
Try that, it might help.

-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Edward Reiss
Sent: July 31, 2007 6:20 PM
To: focus-sun@...
Subject: SSHD with Secured authentication, using RSA PAM client

Greetings,

Has anyone got ssh to authenticate to SecureID? We have to use the version
of sshd included with Solaris 9, 1.0.1, and we cannot get it to work. It
seems Solaris always tries to authenticate locally even after I configure
pam.conf. RSA has a "work around" but they do not support even the work
around. RSA will support OpenSSH, but not the sshd included with Solaris.

Any help would be appreciated.

_______________________________

Edward Reiss <ed.reiss@...>
Cell
631.681.7181
Landline
518.533.9764
Fax
631.881.5545
Quis custodiet ipsos custodes?

_______________________________

Hi Edward,

I have deployed Openssh aling with SecurID, Id recommend you to get openssh from sunfreeware, its very simple and straightforward to do it that way, is there a particula reason you are sticking to Solaris' ssh?

Cheers,


Christian Lete Viesca

UNIX/Jboss Administrator- IT Convergence Support Services

IT Convergence

 

Toll-free USA:        [1] (800) 675-0032 Ext. 2652

International:         [1] (415) 675-7935 Ext. 2652

Argentina:              [54 11] 4000-8400 or 0800-122-4821 Ext. 2652

México:                   01-800-777-0051 Ext. 2652

Shanghai:              [86] (21) 6279-8030 Ext. 2652

Cell Phone:            [54 911] 62014732

 

Email:                      clete@...

Website:                 http://www.itconvergence.com

 

Confidentiality Notice

The information transmitted in this email is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material from IT Convergence. Any review, retransmission, dissemination or other use of the information contained in this email by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, you are not authorized to forward or otherwise distribute this e-mail.


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On Behalf Of Edward Reiss
Sent: Tuesday, July 31, 2007 7:20 PM
To: focus-sun@...
Subject: SSHD with Secured authentication, using RSA PAM client

Greetings,

Has anyone got ssh to authenticate to SecureID? We have to use the version of sshd included with Solaris 9, 1.0.1, and we cannot get it to work. It seems Solaris always tries to authenticate locally even after I configure pam.conf. RSA has a "work around" but they do not support even the work around. RSA will support OpenSSH, but not the sshd included with Solaris.

Any help would be appreciated.

_______________________________

Edward Reiss <ed.reiss@...>
Cell
631.681.7181
Landline
518.533.9764
Fax
631.881.5545
Quis custodiet ipsos custodes?

_______________________________

 
Christina,

We cannot use OpenSSH because our policies forbid us to use open source
software with no support contract.

Anyway, we got it to work by specifying keyboard interactive in the
/etc/ssh/sshd_config file. Now it works flawlessly. For some reason, RSA is
unaware of this fix.

Thanks to all for their input, especially Reg Quinton and Asif Iqbal! Both
of you pointed us in the right direction.

_______________________________

Edward Reiss <ed.reiss@...>
Cell
631.681.7181
Landline
518.533.9764
Fax
631.881.5545
Quis custodiet ipsos custodes?

_______________________________


-----Original Message-----
From: Christian Lete Viesca [mailto:clete@...]
Sent: Monday, August 06, 2007 12:41 PM
To: Edward Reiss; focus-sun@...
Subject: RE: SSHD with Secured authentication, using RSA PAM client

Hi Edward,

I have deployed Openssh aling with SecurID, Id recommend you to get openssh
from sunfreeware, its very simple and straightforward to do it that way, is
there a particula reason you are sticking to Solaris' ssh?

Cheers,


Christian Lete Viesca

UNIX/Jboss Administrator- IT Convergence Support Services

IT Convergence

 

Toll-free USA:        [1] (800) 675-0032 Ext. 2652

International:         [1] (415) 675-7935 Ext. 2652

Argentina:              [54 11] 4000-8400 or 0800-122-4821 Ext. 2652

México:                   01-800-777-0051 Ext. 2652

Shanghai:              [86] (21) 6279-8030 Ext. 2652

Cell Phone:            [54 911] 62014732

 

Email:                      clete@...

Website:                 http://www.itconvergence.com

 

Confidentiality Notice

The information transmitted in this email is intended only for the person or
entity to which it is addressed and may contain confidential and/or
privileged material from IT Convergence. Any review, retransmission,
dissemination or other use of the information contained in this email by
persons or entities other than the intended recipient is prohibited. If you
are not the intended recipient, you are not authorized to forward or
otherwise distribute this e-mail.


-----Original Message-----
From: listbounce@... [mailto:listbounce@...] On
Behalf Of Edward Reiss
Sent: Tuesday, July 31, 2007 7:20 PM
To: focus-sun@...
Subject: SSHD with Secured authentication, using RSA PAM client

Greetings,

Has anyone got ssh to authenticate to SecureID? We have to use the version
of sshd included with Solaris 9, 1.0.1, and we cannot get it to work. It
seems Solaris always tries to authenticate locally even after I configure
pam.conf. RSA has a "work around" but they do not support even the work
around. RSA will support OpenSSH, but not the sshd included with Solaris.

Any help would be appreciated.

_______________________________

Edward Reiss <ed.reiss@...>
Cell
631.681.7181
Landline
518.533.9764
Fax
631.881.5545
Quis custodiet ipsos custodes?

_______________________________

     AyRecovery provides the protection without the need for backups or carrying duplicate images of hard drives.
    AyRecovery allows users to create a “snapshot” of the entire system and data at a specific time.
    Technically speaking, a snapshot is a map of the hard disk sectors and the map’s indexing system.
    Practically speaking, a snapshot is a “picture” of the system and data at a specific time.
    Users can select a specific snapshot to recover files from or restore the entire system to.