Search the web
Sign In
New User? Sign Up
securid-users · RSA SecurID Users
  • Members Only
  • Post
  • Files
  • Photos
  • Database
  • Polls
  • Promote
  • Groups Labs (Beta)
? Already a member? Sign in to Yahoo!

Yahoo! Groups Tips

Did you know...
Show off your group to the world. Share a photo of your group with us.

Best of Y! Groups

   Check them out and nominate your group.
Having problems with message search? Fill out this form to ensure your group is one of the first to be migrated to the new message search system.

Messages

   Messages Help
Message #
Search:
Advanced
SecurID/OpenSSH client   Message List  
Reply | Forward Message #48 of 179 |
Re: [securid-users] SecurID/OpenSSH client


On Mon, Feb 07, 2005 at 05:06:28PM -0000, Wiggum19 wrote:
> This may be silly question, but I didn't see anything in the archives.
> Is there a plan for securid becoming an allowedauthentication source
> in the base openssh distribution (i.e. I don't need to patch it)?

I'm not sure that this is legally possible, as OpenSSH would need
to include code to talk to the ACE server as an "agent host".
Unfortunately, RSA does not publish this as source code.

If your OS supports authentication via RADIUS or TIS-FWTK Authsrv,
(OpenBSD -current supports both) either of these protocols supports
proxy authentication to SecurID; the ACE/Server includes a free
RADIUS server implementation.

Of course, both of these protocols also have security flaws, primarily
they are vulnerable to spoofing attacks. Since the ACE protocol and
the source to the ACE libraries are both proprietary, it is not known
whether the ACE "agent host" network protocol has similar flaws.


> I hate using ssh.com ssh for my SecureID only stuff, and openssh for
> everything else (and I would prefer not to patch openssh/download ACE
> kit etc.)

Unfortunately, to authenticate directly to an ACE server as an
"agent host" requires talking the (proprietary) ACE protocol. There
is no legitimate open-source implementation of this protocol, the
only way to implement an ACE authentication client is to download
the libraries from RSA for your OS and link to these binary-only
libraries.

Currently RSA publishes the library as a binary distribution for
a select handful of operating systems; OpenBSD, the primary
development platform for OpenSSH, is NOT among these. (Additionally,
OpenBSD is adverse to linking any code, much less security-critical
code, to a binary-only library).


IMHO, using RADIUS is the easiest way to implement SecurID
authentication for http, ftp, SSH, sudo, and other services across
diverse hardware and software platforms. There are drawbacks to this
approach, for example it can be difficult (if not impossible) to
successfully set a PIN or clear "next tokencode" mode via RADIUS.


Kevin Kadow
Tue Feb 8, 2005 2:42 am

Show Message Option
kadokev@...
Send Email Send Email

Forward 		Message #48 of 179 |
Expand Messages Author Sort by Date

This may be silly question, but I didn't see anything in the archives. Is there a plan for securid becoming an allowedauthentication source in the base openssh... 		Wiggum19
Offline Send Email 		Feb 8, 2005
2:20 am

... I'm not sure that this is legally possible, as OpenSSH would need to include code to talk to the ACE server as an "agent host". Unfortunately, RSA does not...
kadokev@...
Send Email 		Feb 8, 2005
4:33 am
< Prev Topic  |  Next Topic >
Message #
Search:
Advanced
Copyright © 2009 Yahoo! Inc. All rights reserved.
Privacy Policy - Terms of Service - Guidelines - Help