root/patches/openssh-2.9p2+SecurID.README

Revision 1, 3.6 kB (checked in by jesus, 6 years ago)

initial import

Line 
1 /*
2  * Author: Theo Schlossnagle <jesus@omniti.com>
3  * Copyright (c) 2000,2001 Theo Schlossnagle <jesus@omniti.com>
4  *                    All rights reserved
5  * Created: September 21, 2000
6  * License: OpenSSH License.  See the license for OpenSSH for more details.
7  *
8  * June 28, 2001:
9  * Updated to 2.9p2 -- jesus@omniti.com
10  * no new features
11  *
12  * April 24, 2001:
13  * Updated to 2.9p1 -- jesus@omniti.com
14  * added autoconf clauses to fault if sdiclient.a and headers aren't there.
15  *
16  * April 21, 2001:
17  * Updated to 2.5.2p2 -- jesus@omniti.com
18  * Incorporated some bug fixes from Anders Olsen to fix next-token code.
19  *
20  * March 19, 2001:
21  * Updated to 2.5.2p1 -- jesus@omniti.com
22  *
23  * December 20, 2000:
24  * Updated to 2.3.0p1 -- jesus@omniti.com
25  *
26  * Jan 9th, 2001:
27  * Added SecurIDUsersFile, SecurIDIgnoreShell, AllowNonSecurID directives
28  * to the sshd_config file.  These parameters are documented in the man page.
29  * This provides a more logical seperationg between fail-through due to system
30  * failure and fall-through by configuration. (fall-through vs. fail-through)
31  *   -- jesus@omniti.com
32  */
33
34 Seems like a few people are interested.  So here is the patch.
35
36 This has only been tested on UNICIES that support PAM.  There is untested
37 (only 5 lines) code in auth-passwd.c that should provide the same
38 functionality for normal (non-PAM) password verifications.
39
40 The patch is logical quite small, the physical patch bulky because it contains
41 all the line number changes in "configure" after running autoconf on the
42 modified configure.in file (in which I changed maybe 10 lines -- Yuk.)
43
44 The sshd man page has been patched too :-)  Read it for the two new options
45 relating to SecurID.
46
47 How it works:
48
49 0) apply patch ;-)
50 1) copy sdi headers (in SecurID example directory) into either a standard
51 include place (like /usr/local/include) or into the openssh source tree
52 or add the --with-cflags=-I/path/to/ace/examples (where the include files are)
53 2) copy the sdiclient.a file (same dir) into the openssh source tree.
54
55 Make sure that /var/ace contains your sdconf.rec, etc.  If you installed
56 SecurID client or server on a machine it should be this way already.  If you
57 used a non-standard install location do a "ln -s /path/to/ace/data /var/ace"
58
59 3) add --with-securid --with-pam to the configure flags.  This module rides on
60 the PAM authentication mechanism.
61
62 It will trigger if a user has a shell in /etc/passwd that ends with "sdshell"
63 and it snags your shell the same way sdshell does.  Users with other shells
64 will log in as if SecurID didn't exist.
65
66 Done:
67   o Normal passcode verification
68   o Enter next token for verification
69     (use ssh -v to see the *useful* debgging messages)
70
71 ssh -v will let you know if:
72  o your code was accepted.
73  o your code was rejected.
74  o you are required to wait for the next token and enter that.
75
76 TODO:
77   o Handle PIN creation and changing (as their are by default three log in
78 attempts, it should be straight forward to integrate in these additions --
79 both of these operations require exactly three user inputs.)
80   o Add sshd_config parameter to specify the VAR_ACE location (forced to
81 /var/ace OR VAR_ACE environment variable now.)
82   o Make autoconf find the headers in logical places and add a long-option to
83 give it a hint.  I am an "autoconf idiot"... The small changes I made were
84 challenging enough :)
85
86
87 DISCLAIMER:
88   I works for me (yes, in production).  If you get locked out of a production
89 system becuase you replaced your sshd with this one, feeling really dumb is
90 YOUR responsibility NOT mine.  It is not my fault :-D
91
92 Hope this is useful! scp (and all other tools that can use ssh like rsync and
93 cvs) will work now!!!! Hooray!
94
Note: See TracBrowser for help on using the browser.