| 1 |
/* |
|---|
| 2 |
* Author: Theo Schlossnagle <jesus@omniti.com> |
|---|
| 3 |
* Copyright (c) 2000,2001 Theo Schlossnagle <jesus@omniti.com> |
|---|
| 4 |
* All rights reserved |
|---|
| 5 |
* Created: September 21, 2000 |
|---|
| 6 |
* License: OpenSSH License. See the license for OpenSSH for more details. |
|---|
| 7 |
* |
|---|
| 8 |
* June 28, 2001: |
|---|
| 9 |
* Updated to 2.9p2 -- jesus@omniti.com |
|---|
| 10 |
* no new features |
|---|
| 11 |
* |
|---|
| 12 |
* April 24, 2001: |
|---|
| 13 |
* Updated to 2.9p1 -- jesus@omniti.com |
|---|
| 14 |
* added autoconf clauses to fault if sdiclient.a and headers aren't there. |
|---|
| 15 |
* |
|---|
| 16 |
* April 21, 2001: |
|---|
| 17 |
* Updated to 2.5.2p2 -- jesus@omniti.com |
|---|
| 18 |
* Incorporated some bug fixes from Anders Olsen to fix next-token code. |
|---|
| 19 |
* |
|---|
| 20 |
* March 19, 2001: |
|---|
| 21 |
* Updated to 2.5.2p1 -- jesus@omniti.com |
|---|
| 22 |
* |
|---|
| 23 |
* December 20, 2000: |
|---|
| 24 |
* Updated to 2.3.0p1 -- jesus@omniti.com |
|---|
| 25 |
* |
|---|
| 26 |
* Jan 9th, 2001: |
|---|
| 27 |
* Added SecurIDUsersFile, SecurIDIgnoreShell, AllowNonSecurID directives |
|---|
| 28 |
* to the sshd_config file. These parameters are documented in the man page. |
|---|
| 29 |
* This provides a more logical seperationg between fail-through due to system |
|---|
| 30 |
* failure and fall-through by configuration. (fall-through vs. fail-through) |
|---|
| 31 |
* -- jesus@omniti.com |
|---|
| 32 |
*/ |
|---|
| 33 |
|
|---|
| 34 |
Seems like a few people are interested. So here is the patch. |
|---|
| 35 |
|
|---|
| 36 |
This has only been tested on UNICIES that support PAM. There is untested |
|---|
| 37 |
(only 5 lines) code in auth-passwd.c that should provide the same |
|---|
| 38 |
functionality for normal (non-PAM) password verifications. |
|---|
| 39 |
|
|---|
| 40 |
The patch is logical quite small, the physical patch bulky because it contains |
|---|
| 41 |
all the line number changes in "configure" after running autoconf on the |
|---|
| 42 |
modified configure.in file (in which I changed maybe 10 lines -- Yuk.) |
|---|
| 43 |
|
|---|
| 44 |
The sshd man page has been patched too :-) Read it for the two new options |
|---|
| 45 |
relating to SecurID. |
|---|
| 46 |
|
|---|
| 47 |
How it works: |
|---|
| 48 |
|
|---|
| 49 |
0) apply patch ;-) |
|---|
| 50 |
1) copy sdi headers (in SecurID example directory) into either a standard |
|---|
| 51 |
include place (like /usr/local/include) or into the openssh source tree |
|---|
| 52 |
or add the --with-cflags=-I/path/to/ace/examples (where the include files are) |
|---|
| 53 |
2) copy the sdiclient.a file (same dir) into the openssh source tree. |
|---|
| 54 |
|
|---|
| 55 |
Make sure that /var/ace contains your sdconf.rec, etc. If you installed |
|---|
| 56 |
SecurID client or server on a machine it should be this way already. If you |
|---|
| 57 |
used a non-standard install location do a "ln -s /path/to/ace/data /var/ace" |
|---|
| 58 |
|
|---|
| 59 |
3) add --with-securid --with-pam to the configure flags. This module rides on |
|---|
| 60 |
the PAM authentication mechanism. |
|---|
| 61 |
|
|---|
| 62 |
It will trigger if a user has a shell in /etc/passwd that ends with "sdshell" |
|---|
| 63 |
and it snags your shell the same way sdshell does. Users with other shells |
|---|
| 64 |
will log in as if SecurID didn't exist. |
|---|
| 65 |
|
|---|
| 66 |
Done: |
|---|
| 67 |
o Normal passcode verification |
|---|
| 68 |
o Enter next token for verification |
|---|
| 69 |
(use ssh -v to see the *useful* debgging messages) |
|---|
| 70 |
|
|---|
| 71 |
ssh -v will let you know if: |
|---|
| 72 |
o your code was accepted. |
|---|
| 73 |
o your code was rejected. |
|---|
| 74 |
o you are required to wait for the next token and enter that. |
|---|
| 75 |
|
|---|
| 76 |
TODO: |
|---|
| 77 |
o Handle PIN creation and changing (as their are by default three log in |
|---|
| 78 |
attempts, it should be straight forward to integrate in these additions -- |
|---|
| 79 |
both of these operations require exactly three user inputs.) |
|---|
| 80 |
o Add sshd_config parameter to specify the VAR_ACE location (forced to |
|---|
| 81 |
/var/ace OR VAR_ACE environment variable now.) |
|---|
| 82 |
o Make autoconf find the headers in logical places and add a long-option to |
|---|
| 83 |
give it a hint. I am an "autoconf idiot"... The small changes I made were |
|---|
| 84 |
challenging enough :) |
|---|
| 85 |
|
|---|
| 86 |
|
|---|
| 87 |
DISCLAIMER: |
|---|
| 88 |
I works for me (yes, in production). If you get locked out of a production |
|---|
| 89 |
system becuase you replaced your sshd with this one, feeling really dumb is |
|---|
| 90 |
YOUR responsibility NOT mine. It is not my fault :-D |
|---|
| 91 |
|
|---|
| 92 |
Hope this is useful! scp (and all other tools that can use ssh like rsync and |
|---|
| 93 |
cvs) will work now!!!! Hooray! |
|---|
| 94 |
|
|---|
