root/patches/openssh-4.1p1+SecurID_v1.3.1.README

Revision 1, 6.7 kB (checked in by jesus, 6 years ago)

initial import

Line 
1 /*
2  * Author: Theo Schlossnagle <jesus@omniti.com>
3  * Copyright (c) 2000-2002 Theo Schlossnagle <jesus@omniti.com>
4  *                    All rights reserved
5  *
6  * Created: September 21, 2000
7  * License: OpenSSH License.  See the license for OpenSSH for more details.
8  *
9  * Update for ACE 5.X by Jim Matthews -- j.w.matthews@cox.net
10  * Patch works only for OpenSSH version v4.1p1
11  *
12  * June 16, 2005: -- j.w.matthews@cox.net
13  * Updated to support openssh v4.1p1
14  *
15  * March 15, 2005: -- j.w.matthews@cox.net
16  * Updated to support openssh v4.0p1
17  *
18  * Aug 18, 2004: -- j.w.matthews@cox.net
19  * Updated to support openssh v3.9p1
20  * Added #ifdef SECURID in a comple of places it wasn't used and should have been
21  * for consistency in monitor.c and monitor.h
22  *
23  * Aug 15, 2004: -- j.w.matthews@cox.net
24  * Updated to support openssh v3.8.1p1
25  *
26  * March 1, 2004: -- j.w.matthews@cox.net
27  * Updated to support openssh v3.8p1
28  *
29  * September 27, 2003: -- j.w.matthews@cox.net
30  * Updated to support openssh v3.7.1p2
31  * Re-added SecurID man page entries previously included in the v3.6.1p2 patch.
32  * Changed "plen" from type int to type u_int in function mm_answer_authsecurid in
33  * monitor.c to conform with openssh.
34  *
35  * September 17, 2003: -- j.w.matthews@cox.net
36  * Updated to support openssh v3.7.1p1.
37  *
38  * September 16, 2003: -- j.w.matthews@cox.net
39  * Updated to support openssh v3.7p1.
40  * In auth-securid.c log has changed to logit since it changed in v3.7p1.
41  * In pam-auth.c securid auth function is no longer needed.  v3.7p1 completely
42  * changed the way PAM is handled.
43  *
44  * June 4th, 2003: -- Nicolas Lidzborski <cpc@freeshell.org>
45  * Updated to support openssh v3.6.1p2
46  *
47  * April 5th, 2003: -- j.w.matthews@cox.net
48  * Updated to support openssh v3.6.1p1.
49  * Modified to support both new (5.X+) and old (<= 4.X) securid client API libraries.
50  * Added --with-securid-old for <= 4.X support, --with-securid is for new API support.
51  * Added sd_close for ACE server disconnect at the end of authentication for old API support.
52  *
53  * March 3rd, 2003: -- j.w.matthews@cox.net
54  * Changed "user not in [securid] allow", "user in [securid] deny" SecurID messages from
55  * type "error" to type "log" in auth-securid.c.
56  *
57  * March 1st, 2003: -- j.w.matthews@cox.net
58  * Rewrote functions in auth-securid.c to support the ACE server version 5.X API.
59  * Modified configure script to check for new libaceclnt.a and acexport.h.
60  * Fixed AllowNonSecurid option in monitor.c and servconf.c so it actually works now.
61  * Fixed potential memory leak in auth-securid.c for SecurID shell assignment variable.
62  *
63  * October 22nd, 2002:
64  * Updated to 3.5p1 -- jesus@omniti.com
65  * incorporated a few minor fixes for the auth phase.
66  *
67  * June 26th, 2002:
68  * Updated to 3.4p1 -- jesus@omniti.com
69  * Revamped the auth mechanism to use the new privilege separation code.
70  * Updated man pages in their new locations.
71  *
72  * March 15th, 2002:
73  * Updated to 3.1p1 -- jesus@omniti.com
74  * Added beeter support for auth2-pam.  Added NegateSecurIDUsers option to
75  * negate the meaning of the SecureIDUsersFile option.
76  *
77  * December 11th, 2001:
78  * Updated to 3.0.2p1 -- jesus@omniti.com
79  * no new features
80  *
81  * December 3rd, 2001:
82  * Updated to 3.0.1p1 -- jesus@omniti.com
83  * no new features
84  *
85  * November 8th, 2001:
86  * Updated to 3.0p1 -- jesus@omniti.com
87  * no new features
88  *
89  * September 30th, 2001:
90  * Updated to 2.9.9p2 -- jesus@omniti.com
91  * no new features
92  *
93  * June 28, 2001:
94  * Updated to 2.9p2 -- jesus@omniti.com
95  * no new features
96  *
97  * April 24, 2001:
98  * Updated to 2.9p1 -- jesus@omniti.com
99  * added autoconf clauses to fault if sdiclient.a and headers aren't there.
100  *
101  * April 21, 2001:
102  * Updated to 2.5.2p2 -- jesus@omniti.com
103  * Incorporated some bug fixes from Anders Olsen to fix next-token code.
104  *
105  * March 19, 2001:
106  * Updated to 2.5.2p1 -- jesus@omniti.com
107  *
108  * December 20, 2000:
109  * Updated to 2.3.0p1 -- jesus@omniti.com
110  *
111  * Jan 9th, 2001:
112  * Added SecurIDUsersFile, SecurIDIgnoreShell, AllowNonSecurID directives
113  * to the sshd_config file.  These parameters are documented in the man page.
114  * This provides a more logical seperationg between fail-through due to system
115  * failure and fall-through by configuration. (fall-through vs. fail-through)
116  *   -- jesus@omniti.com
117  */
118
119 Seems like a few people are interested.  So here is the patch.
120
121 This has only been tested on UNICIES that support PAM.  There is untested
122 (only 5 lines) code in auth-passwd.c that should provide the same
123 functionality for normal (non-PAM) password verifications.
124
125 The patch is logical quite small, the physical patch bulky because it contains
126 all the line number changes in "configure" after running autoconf on the
127 modified configure.in file (in which I changed maybe 10 lines -- Yuk.)
128
129 The sshd man page has been patched too :-)  Read it for the two new options
130 relating to SecurID.
131
132 How it works:
133
134 0) apply patch ;-)  You must use GNU patch (get it from ftp.gnu.org, it free.)
135 1) copy ACE headers (in SecurID inc directory) into either a standard
136    include place (like /usr/local/include) or into the openssh source tree or add
137    the --with-cflags=-I/path/to/ace/inc (where the include files are located)
138 2) copy the libaceclnt.a (for ACE 5.X) or sdiclient.a (for ACE <= 4.X) for your
139    OS (from /path/to/ace/lib/<arch>) into the openssh source tree.
140
141 Make sure that /var/ace contains your sdconf.rec, etc.  If you installed
142 SecurID client or server on a machine it should be this way already.  If you
143 used a non-standard install location do a "ln -s /path/to/ace/data /var/ace"
144
145 3) add --with-securid to the configure flags for new ACE 5.X support.  Use
146    --with-securid-old for ACE API version 4.X and older.
147
148 It will trigger if a user has a shell in /etc/passwd that ends with "sdshell"
149 and it snags your shell the same way sdshell does.  Users with other shells
150 will log in as if SecurID didn't exist.
151
152 Done:
153   o Normal passcode verification
154   o Enter next token for verification
155     (use ssh -v to see the *useful* debgging messages)
156
157 ssh -v will let you know if:
158  o your code was accepted.
159  o your code was rejected.
160  o you are required to wait for the next token and enter that.
161
162 TODO:
163   o Handle PIN creation and changing (as their are by default three log in
164 attempts, it should be straight forward to integrate in these additions --
165 both of these operations require exactly three user inputs.)
166   o Add sshd_config parameter to specify the VAR_ACE location (forced to
167 /var/ace OR VAR_ACE environment variable now.)
168
169 DISCLAIMER:
170   I works for me (yes, in production).  If you get locked out of a production
171 system becuase you replaced your sshd with this one, feeling really dumb is
172 YOUR responsibility NOT mine.  It is not my fault :-D
173
174 Hope this is useful! scp (and all other tools that can use ssh like rsync and
175 cvs) will work now!!!! Hooray!
176
Note: See TracBrowser for help on using the browser.