Re: SSHD with Secured authentication, using RSA PAM client



On 7/31/07, Edward Reiss <ed.reiss@xxxxxxxxxxxx> wrote:
Greetings,

Has anyone got ssh to authenticate to SecureID? We have to use the version
of sshd included with Solaris 9, 1.0.1, and we cannot get it to work. It

- You have make sure your sshd is pam enabled.
ldd `which sshd` should have libpam in there.

- man sshd_config. Depending on your sshd_config file you need enable
either one of the two `UsePAM' or `PAMAuthenticationViaKBDInt'

We enabled the radius daemon on our SecurID ACE server (RSA) and using
pam_radius (of Freeradius) instead. If you choose that path you need to
pick a radius secret key and need to add that key for your client on
ACE database.

Most of our servers using some flavor of ssh (openssh or sunssh or
ssh) and pam_radius
It basically prompts for Password: (you put your passcode here). We
also have sudo
with pam enabled. So there is no local password needed for users.

These are files I needed to modify
- /etc/raddb/server (only can access raddb dir)
- /etc/pam.conf - just two extra lines; one for sshd and one for sudo
- /etc/ssh/sshd_config OR /usr/local/etc/sshd_config

seems Solaris always tries to authenticate locally even after I configure

It has nothing to do with Solaris. It is SSHD that you need to configure right.

pam.conf. RSA has a "work around" but they do not support even the work
around. RSA will support OpenSSH, but not the sshd included with Solaris.


The problem is not ssh difference. It is all handled by pam. Both
SunSSH and OpenSSH
knows how to communicate with PAM if they are compiled with pam library.

Any help would be appreciated.

_______________________________

Edward Reiss <ed.reiss@xxxxxxxxxxxx>
Cell
631.681.7181
Landline
518.533.9764
Fax
631.881.5545
Quis custodiet ipsos custodes?

_______________________________






--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu



Relevant Pages

  • RE: PAM and SSH
    ... It appears that for sshd, sshusers would have to be their primary group ... The nsswitch.conf list files and winbind for groups but the ssh documentation said that only primary groups were used. ... Perhaps a simple PAM module that takes a network description and succeeds if the user's IP is on that network would not be a huge task. ...
    (SSH)
  • Re: Openssh, kerberos and Solaris 10
    ... if the problem is the Solaris 10 sshd is not saving ... other is used by pam :-( The man pages are not consistent ... rather live with this then to have to build OpenSSH and MIT Kerberos ... Solaris 10's sshd uses PAM, ...
    (comp.protocols.kerberos)
  • Re: Confusion on SSH and PAM
    ... Looks like I've understood the interaction between SSH and PAM wrong here, ... sshd that a root login vai PAM is not ok, ... key fails, the sshd just goes to the next step, which is the password. ...
    (freebsd-questions)
  • Re: 5.1p1 and X11 forwarding failing
    ... The authentication ... is via PAM if that matters. ... Now I attach to my 'master' sshd and follow all children ... If I perform the EXACT same test against stock Solaris 9 ...
    (SSH)
  • Re: Openssh, kerberos and Solaris 10
    ... Solaris 10 version supports GSSAPI authentication. ... Solaris 10's sshd does not use PAM to do these two tasks. ... Argonne National Laboratory ...
    (comp.protocols.kerberos)