root/patches/openssh-4.4p1+SecurID_v1.3.2.patch

openssh-4.4p1/Makefile.in

@@ -87 +87 @@
-        monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
-        auth-krb5.o \
-        auth2-gss.o gss-serv.o gss-serv-krb5.o \
-
+auth-securid.o 
-        audit.o audit-bsm.o platform.o
-
-MANPAGES        = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out

openssh-4.4p1/README.SecurID

@@ +1 @@
+/*
+ * Author: Theo Schlossnagle <jesus@omniti.com>
+ * Copyright (c) 2000-2002 Theo Schlossnagle <jesus@omniti.com>
+ *                    All rights reserved
+ *
+ * Created: September 21, 2000
+ * License: OpenSSH License.  See the license for OpenSSH for more details.
+ *
+ * Update for ACE 5.X by Jim Matthews -- Jim.W.Matthews@gmail.com
+ * Patch works only for OpenSSH version v4.4p1
+ *
+ * October 04, 2006: -- Jim.W.Matthews@gmail.com
+ * Updated to support openssh v4.4p1
+ * Updated auth-securid.c with additional includes which are now required.
+ *
+ * February 11, 2006: -- j.w.matthews@cox.net
+ * Updated to support openssh v4.3p1
+ *
+ * September 10, 2005: -- j.w.matthews@cox.net
+ * Updated to support openssh v4.2p1
+ * Fixed bug in auth-securid.c where securid_usersfile_find is used even if
+ * SECURID is undefined at config time - found by Mike Frysinger.
+ *
+ * June 16, 2005: -- j.w.matthews@cox.net
+ * Updated to support openssh v4.1p1
+ *
+ * March 15, 2005: -- j.w.matthews@cox.net
+ * Updated to support openssh v4.0p1
+ *
+ * Aug 18, 2004: -- j.w.matthews@cox.net
+ * Updated to support openssh v3.9p1
+ * Added #ifdef SECURID in a comple of places it wasn't used and should have been
+ * for consistency in monitor.c and monitor.h
+ *
+ * Aug 15, 2004: -- j.w.matthews@cox.net
+ * Updated to support openssh v3.8.1p1
+ *
+ * March 1, 2004: -- j.w.matthews@cox.net
+ * Updated to support openssh v3.8p1
+ *
+ * September 27, 2003: -- j.w.matthews@cox.net
+ * Updated to support openssh v3.7.1p2
+ * Re-added SecurID man page entries previously included in the v3.6.1p2 patch.
+ * Changed "plen" from type int to type u_int in function mm_answer_authsecurid in
+ * monitor.c to conform with openssh.
+ *
+ * September 17, 2003: -- j.w.matthews@cox.net
+ * Updated to support openssh v3.7.1p1.
+ *
+ * September 16, 2003: -- j.w.matthews@cox.net
+ * Updated to support openssh v3.7p1.
+ * In auth-securid.c log has changed to logit since it changed in v3.7p1.
+ * In pam-auth.c securid auth function is no longer needed.  v3.7p1 completely
+ * changed the way PAM is handled.
+ *
+ * June 4th, 2003: -- Nicolas Lidzborski <cpc@freeshell.org>
+ * Updated to support openssh v3.6.1p2
+ *
+ * April 5th, 2003: -- j.w.matthews@cox.net
+ * Updated to support openssh v3.6.1p1.
+ * Modified to support both new (5.X+) and old (<= 4.X) securid client API libraries.
+ * Added --with-securid-old for <= 4.X support, --with-securid is for new API support.
+ * Added sd_close for ACE server disconnect at the end of authentication for old API support.
+ *
+ * March 3rd, 2003: -- j.w.matthews@cox.net
+ * Changed "user not in [securid] allow", "user in [securid] deny" SecurID messages from
+ * type "error" to type "log" in auth-securid.c.
+ *
+ * March 1st, 2003: -- j.w.matthews@cox.net
+ * Rewrote functions in auth-securid.c to support the ACE server version 5.X API.
+ * Modified configure script to check for new libaceclnt.a and acexport.h.
+ * Fixed AllowNonSecurid option in monitor.c and servconf.c so it actually works now.
+ * Fixed potential memory leak in auth-securid.c for SecurID shell assignment variable.
+ *
+ * October 22nd, 2002:
+ * Updated to 3.5p1 -- jesus@omniti.com
+ * incorporated a few minor fixes for the auth phase.
+ *
+ * June 26th, 2002:
+ * Updated to 3.4p1 -- jesus@omniti.com
+ * Revamped the auth mechanism to use the new privilege separation code.
+ * Updated man pages in their new locations.
+ *
+ * March 15th, 2002:
+ * Updated to 3.1p1 -- jesus@omniti.com
+ * Added beeter support for auth2-pam.  Added NegateSecurIDUsers option to
+ * negate the meaning of the SecureIDUsersFile option.
+ *
+ * December 11th, 2001:
+ * Updated to 3.0.2p1 -- jesus@omniti.com
+ * no new features
+ *
+ * December 3rd, 2001:
+ * Updated to 3.0.1p1 -- jesus@omniti.com
+ * no new features
+ *
+ * November 8th, 2001:
+ * Updated to 3.0p1 -- jesus@omniti.com
+ * no new features
+ *
+ * September 30th, 2001:
+ * Updated to 2.9.9p2 -- jesus@omniti.com
+ * no new features
+ *
+ * June 28, 2001:
+ * Updated to 2.9p2 -- jesus@omniti.com
+ * no new features
+ *
+ * April 24, 2001:
+ * Updated to 2.9p1 -- jesus@omniti.com
+ * added autoconf clauses to fault if sdiclient.a and headers aren't there.
+ *
+ * April 21, 2001:
+ * Updated to 2.5.2p2 -- jesus@omniti.com
+ * Incorporated some bug fixes from Anders Olsen to fix next-token code.
+ *
+ * March 19, 2001:
+ * Updated to 2.5.2p1 -- jesus@omniti.com
+ *
+ * December 20, 2000:
+ * Updated to 2.3.0p1 -- jesus@omniti.com
+ *
+ * Jan 9th, 2001:
+ * Added SecurIDUsersFile, SecurIDIgnoreShell, AllowNonSecurID directives
+ * to the sshd_config file.  These parameters are documented in the man page.
+ * This provides a more logical seperationg between fail-through due to system
+ * failure and fall-through by configuration. (fall-through vs. fail-through)
+ *   -- jesus@omniti.com
+ */
+
+Seems like a few people are interested.  So here is the patch.
+
+This has only been tested on UNICIES that support PAM.  There is untested
+(only 5 lines) code in auth-passwd.c that should provide the same
+functionality for normal (non-PAM) password verifications.
+
+The patch is logical quite small, the physical patch bulky because it contains
+all the line number changes in "configure" after running autoconf on the
+modified configure.in file (in which I changed maybe 10 lines -- Yuk.)
+
+The sshd man page has been patched too :-)  Read it for the two new options
+relating to SecurID.
+
+How it works:
+
+0) apply patch ;-)  You must use GNU patch (get it from ftp.gnu.org, it free.)
+1) copy ACE headers (in SecurID inc directory) into either a standard
+   include place (like /usr/local/include) or into the openssh source tree or add
+   the --with-cflags=-I/path/to/ace/inc (where the include files are located)
+2) copy the libaceclnt.a (for ACE 5.X) or sdiclient.a (for ACE <= 4.X) for your
+   OS (from /path/to/ace/lib/<arch>) into the openssh source tree.
+
+Make sure that /var/ace contains your sdconf.rec, etc.  If you installed
+SecurID client or server on a machine it should be this way already.  If you
+used a non-standard install location do a "ln -s /path/to/ace/data /var/ace"
+
+3) add --with-securid to the configure flags for new ACE 5.X support.  Use
+   --with-securid-old for ACE API version 4.X and older.
+
+It will trigger if a user has a shell in /etc/passwd that ends with "sdshell"
+and it snags your shell the same way sdshell does.  Users with other shells
+will log in as if SecurID didn't exist.
+
+Done:
+  o Normal passcode verification
+  o Enter next token for verification
+    (use ssh -v to see the *useful* debgging messages)
+
+ssh -v will let you know if:
+ o your code was accepted.
+ o your code was rejected.
+ o you are required to wait for the next token and enter that.
+
+TODO:
+  o Handle PIN creation and changing (as their are by default three log in
+attempts, it should be straight forward to integrate in these additions --
+both of these operations require exactly three user inputs.)
+  o Add sshd_config parameter to specify the VAR_ACE location (forced to
+/var/ace OR VAR_ACE environment variable now.)
+
+DISCLAIMER:
+  I works for me (yes, in production).  If you get locked out of a production
+system becuase you replaced your sshd with this one, feeling really dumb is
+YOUR responsibility NOT mine.  It is not my fault :-D
+
+Hope this is useful! scp (and all other tools that can use ssh like rsync and
+cvs) will work now!!!! Hooray!
+

openssh-4.4p1/auth-passwd.c

@@ -101 +101 @@
-                /* Fall back to ordinary passwd authentication. */
-        }
-#endif
+#ifdef SECURID
+       if (options.securid_authentication == 1) {
+               int ret = auth_securid(authctxt, password);
+               if (ret >= 0)
+                       return ret;
+               /* Only returns < 0 if the account is not a SecurID account */
+               /* Fall back to ordinary passwd authentication. */
+               if(ret<0 && !options.allow_nonsecurid) {
+               return 0;
+               }
+       }
+#endif
-#ifdef HAVE_CYGWIN
-        if (is_winnt) {
-                HANDLE hToken = cygwin_logon_user(pw, password);

openssh-4.4p1/auth-securid.c

@@ +1 @@
+/*
+ * Author: Theo Schlossnagle <jesus@omniti.com>
+ * Copyright (c) 2000 Theo Schlossnagle <jesus@omniti.com>
+ *                    All rights reserved
+ * Created: September 21, 2000
+ * This file contains the code to process a SecurID authentication
+ * including the "next token" request.
+ */
+
+/* 
+ * Added ACE Server API version 5.X Support
+ * Jim Matthews (JWM)
+ *
+ */
+
+#include "includes.h"
+
+/* RCSID("$OpenBSD: auth-securid.c,v 1.0 2000/09/21 01:39:38 jesus Exp $"); */
+/* $Id: auth-securid.c,v 1.3.1 2006/10/04 23:22:12 jmatthew Exp jmatthew $ */
+
+#include "packet.h"
+#include "ssh.h"
+#include "log.h"
+#include "servconf.h"
+#include "xmalloc.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+
+#include <string.h>
+#include <errno.h>
+
+#ifdef WITH_AIXAUTHENTICATE
+# include <login.h>
+#endif
+#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
+# include <hpsecurity.h>
+# include <prot.h>
+#endif
+#ifdef HAVE_SHADOW_H
+# include <shadow.h>
+#endif
+#ifdef HAVE_GETPWANAM
+# include <sys/label.h>
+# include <sys/audit.h>
+# include <pwdadj.h>
+#endif
+#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
+# include "md5crypt.h"
+#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
+
+#ifdef SECURID
+#ifdef SECURID_NEW
+/* Only need acexport.h for 5.0 API JWM */
+# include "acexport.h"
+
+#else
+
+# include "sdi_athd.h"
+# include "sdconf.h"
+# include "sdacmvls.h"
+
+union config_record configure;
+#endif
+#endif
+
+/*
+ * Tries to authenticate the user using password.  Returns true if
+ * authentication succeeds.
+ */
+#define INBUFFLEN 256
+
+/* Added ifdef 09102005 JWM */
+#ifdef SECURID
+int
+securid_usersfile_find(const char *pw_name)
+{
+        extern ServerOptions options;
+        FILE *inf;
+        char inbuff[INBUFFLEN];
+        struct stat fileinfo;
+        int retval = 0;
+
+        if(!options.securid_usersfile) {
+                error("In securid_usersfile_find() with NULL filename!");
+                return -1;
+        }
+        if(lstat(options.securid_usersfile, &fileinfo)) {
+                error("Cannot open %s: %s",
+                      options.securid_usersfile, strerror(errno));
+                return -1;
+        }
+        if(fileinfo.st_mode & (S_IWOTH|S_IWGRP)) {
+                error("SecurIDUsersFile is writeable by group and other");
+                return -1;
+        }
+        if(!(inf = fopen(options.securid_usersfile, "r"))) {
+                error("Cannot open %s: %s",
+                      options.securid_usersfile, strerror(errno));
+                return -1;
+        }
+        while(fgets(inbuff,INBUFFLEN-1,inf) != NULL) {
+                if(inbuff[strlen(inbuff) - 1] == '\n')
+                        inbuff[strlen(inbuff) - 1] = '\0';
+                retval = !strcmp(inbuff,pw_name);
+                if(retval) break;
+        }
+        fclose(inf);
+        if(retval) return 1;
+        debug2("Failed to find %s in %s",
+                pw_name, options.securid_usersfile);
+        return 0;
+}
+#endif
+
+int
+auth_securid(Authctxt *authctxt, const char *password)
+{
+        static int state = 0;   /* This tells us where we expect a
+                                        0 "PIN"
+                                        1 "Next Token"
+                                */
+        int doauth;
+        char *ecp;
+        /* Changed this to static, since pw->shell does not get redefined, prevents mem leak JWM */
+        /* Allocate 256 chars for shell JWM */
+        static char shell[256];
+        extern ServerOptions options;
+        struct passwd *pw;
+#ifndef SECURID
+        return -1;
+#else
+        /* Add static for the nexttoken case -- Anders Olsen 20010409 */
+        /* API Change for ACE version 5.03 JWM */
+#ifdef SECURID_NEW
+        static SDI_HANDLE sd_dat;
+#else
+        static struct SD_CLIENT sd_dat, *sd;
+#endif
+
+        pw = authctxt->pw;
+        /* Check for users with no sdshell and pass them by. */
+        if(options.securid_usersfile) {
+                doauth = securid_usersfile_find(pw->pw_name);
+                if(!options.negate_securid_users && doauth == 0) {
+                        /* file is there, user is not, option respected */
+                        /* log instead of error JWM */
+                        logit("User Not In SecurID Users Allow File");
+                        if(options.allow_nonsecurid) return -1;
+                        return 0;
+                } else if(options.negate_securid_users && doauth == 1) {
+                        /* file is there, user is, option negated */
+                        /* log instead of error JWM */
+                        logit("User In SecurID Users Deny File");
+                        if(options.allow_nonsecurid) return -1;
+                        return 0;
+                } else if(doauth < 0) { /* File not there or bad perms! */
+                        error("Failing SecurID login attempt");
+                        return 0;       /* Fail */
+                }
+        } else {
+                /* No users securid_usersfile
+                   so use shells that end in sdshell */
+                if (!((ecp = strstr(pw->pw_shell, "sdshell")) &&
+                                (*(ecp+7)=='\0'))) {
+                        if(options.allow_nonsecurid) {
+                                return -1;
+                        } else {
+                                return 0;
+                        }
+                }
+        }
+        /* sd_check on with an empty password causes segfault against some
+                versions of sdiclient -- Anders Olsen 20010409 */
+        if (*password == '\0') {
+                debug2("auth_securid: empty password, skipping");
+                return 0;
+        }
+        /* Don't reopen session to securid-server is nexttoken
+                -- Adres Olsen 20010410 */
+        if (state == 0) {
+                int ret;
+#ifdef SECURID_NEW
+                /* API Change for ACE version 5.03 JWM */
+                /* Initialize the ace client, test for sdconf.rec and other setup */
+                if(AceInitialize() == SD_FALSE) {
+                        error("SecurID: Failed to initialize ACE API library.");
+                        if(options.securid_fallback) return -1;
+                        return 0;
+                }
+                /* API Change for ACE version 5.03 JWM */
+                /* Initialize communication, check connection to server, etc */
+                ret = SD_Init(&sd_dat);
+                if(ret != ACM_OK) {
+                        if(ret == ACE_INIT_NO_RESOURCE) {
+                                error("SecurID: Couldn't allocate memory.");
+                        }
+                        if(ret == ACE_INIT_SOCKET_FAIL) {
+                                error("SecurID: Couldn't create socket.");
+                        }
+                        error("SecurID: Couldn't establish client/server communications.");
+                        if(options.securid_fallback) return -1;
+                        return 0;
+                }
+                /* API addition for ACE version 5.03 JWM */
+                /* Lock Server */
+                if(SD_Lock(sd_dat,pw->pw_name) == ACM_OK) {
+                        debug("SecurID: Locked Server");
+                } else {
+                        error("SecurID: Failed to lock server.");
+                        return 0;
+                }
+                /* API Change for version 5.03 JWM */
+                /* Check for valid authentication */
+                ret = SD_Check(sd_dat, (char *)password, pw->pw_name);
+                if(ret == ACM_OK) {
+                        goto success;
+                } else {
+                        if(ret == ACM_ACCESS_DENIED) {
+                                error("SecurID: authentication failed.");
+                        }
+                        if(ret == ACM_NEXT_CODE_REQUIRED) {
+                                error("SecurID: needs next token.");
+                                state = 1; /* Process next try as sd_next */
+                        }
+                        if(ret == ACE_UNDEFINED_PASSCODE) {
+                                error("SecurID: passcode invalid length or null");
+                        }
+                        if(ret == ACE_UNDEFINED_USERNAME) {
+                                error("SecurID: username invalid length or null");
+                        }
+                        if(ret == ACE_ERR_INVALID_HANDLE) {
+                                error("SecurID: handle value invalid");
+                        }
+                        if(ret == ACM_NEW_PIN_REQUIRED) {
+                                error("SecurID: new pin required");
+                        }
+                        return 0; /* Failed! */
+                }
+#else   /* else old securid */
+                memset(&sd_dat, 0, sizeof(sd_dat));   /* clear struct */
+                sd = &sd_dat;
+
+                if(creadcfg()) {
+                        /* Can't read sdconf.rec!  Gotta bail */
+                        error("SecurID: Couldn't read sdconf.rec.");
+                        if(options.securid_fallback) return -1;
+                        return 0;
+                }
+                if(sd_init(sd)) {
+                        /* Can't establish client/server comms!  Gotta bail */
+                        error("SecurID: Couldn't establish client/server communications.");
+                        if(options.securid_fallback) return -1;
+                        return 0;
+                }
+                /* Auth PIN... */
+                ret = sd_check((char *)password, pw->pw_name, sd);
+                if(ret == ACM_OK) {
+                        goto success;
+                }
+                if(ret == ACM_ACCESS_DENIED) {
+                        error("SecurID: passcode rejected.");
+                        return 0; /* Failed! */
+                }
+                if(ret == ACM_NEXT_CODE_REQUIRED) {
+                        error("SecurID: needs next token.");
+                        state = 1; /* Process next try as sd_next */
+                        return 0;  /* Fail, so ssh will prmpt again */
+                }
+#endif
+        } else {
+                /* Auth next token... */
+                int ret;
+                state = 0;  /* Set back to PIN mode */
+#ifdef SECURID_NEW
+                /* API Change for version 5.03 JWM */
+                ret = SD_Next(sd_dat, (char *)password);
+#else
+                ret = sd_next((char *)password, sd);
+#endif
+                if(ret == ACM_OK) {
+                        goto success;
+                }
+                error("SecurID: passcode rejected.");
+                return 0; /* Failed */
+        }
+        error("SecurID: unhandled sdcheck() return code.");
+        return 0; /* Failed! */
+
+success:
+#ifdef SECURID_NEW
+        /* Clear mem for shell */
+        memset(shell, 0, sizeof(shell));
+#endif
+        if(!options.securid_ignore_shell) {
+#ifdef SECURID_NEW
+        /* Changed for ACE 5.0 API JWM */
+                if(!AceGetShell(sd_dat,shell)) {
+                        error("SecurID: Failed to get user's shell from server.");
+                        return 0;
+                }       
+#else
+        strcpy(shell,sd->shell);
+#endif
+        pw->pw_shell = shell;
+        }
+#ifdef SECURID_NEW
+        if(SD_Close(sd_dat) != ACM_OK) {
+                error("SecurID: SD_Close - Handle invalid.");
+        }
+#else
+        if(!sd_close()) {
+                error("SecurID: sd_close failed.");
+        }
+#endif
+        return 1; /* Success */
+#endif
+}

openssh-4.4p1/auth.h

@@ -107 +107 @@
-auth_rhosts2(struct passwd *, const char *, const char *, const char *);
-
-int      auth_rhosts_rsa(Authctxt *, char *, Key *);
+#ifdef SECURID
+int      auth_securid(Authctxt *, const char *);
+#endif
-int      auth_password(Authctxt *, const char *);
-int      auth_rsa(Authctxt *, BIGNUM *);
-int      auth_rsa_challenge_dialog(Key *);

openssh-4.4p1/auth2-passwd.c

@@ -64 +64 @@
-        }
-        packet_check_eom();
-
+#ifdef SECURID
+        /* Try SecurID regardless */
+        if (authctxt->valid && options.securid_authentication == 1) {
+                authenticated = PRIVSEP(auth_securid(authctxt, password));
+                /* Only returns < 0 if the account is not a SecurID account */
+                /* Fall back to ordinary passwd authentication. */
+                if(authenticated < 0)
+                        authenticated = 0;
+                else
+                        goto passreturn;
+        }
+        /* No... continue */
+#endif
+
-        if (change)
-                logit("password change not supported");
-        else if (PRIVSEP(auth_password(authctxt, password)) == 1)
@@ -72 +86 @@
-        if (check_nt_auth(1, authctxt->pw) == 0)
-                authenticated = 0;
-#endif
+#ifdef SECURID
+passreturn:
+#endif
-        memset(password, 0, len);
-        xfree(password);
-        return authenticated;

openssh-4.4p1/config.h.in

@@ -1171 +1171 @@
-/* Location of PRNGD/EGD random number socket */
-#undef PRNGD_SOCKET
-
+/* Define if you want SecurID support */
+#undef SECURID
+#undef SECURID_NEW
+
-/* read(1) can return 0 for a non-closed fd */
-#undef PTY_ZEROREAD
-

openssh-4.4p1/configure

@@ -199 +199 @@
-  echo as_func_ret_failure succeeded.
-fi
-
-
+ 
-  :
-else
-  exitcode=1
@@ -401 +401 @@
-  echo as_func_ret_failure succeeded.
-fi
-
-
+ 
-  :
-else
-  exitcode=1
@@ -1322 +1322 @@
-  --with-zlib=PATH        Use zlib in PATH
-  --without-zlib-version-check Disable zlib version check
-  --with-skey[=PATH]      Enable S/Key support (optionally in PATH)
+  --with-securid          Enable ACE 5.X+ SecurID support
+  --with-securid-old      Enable SecurID 4.X and earlier SecurID support
-  --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
-  --with-libedit[=PATH]   Enable libedit support for sftp
-  --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm)
@@ -12958 +12960 @@
-fi
-
-
+SECURID_MSG="no"
+
+# Check whether --with-securid was given.
+if test "${with_securid+set}" = set; then
+  withval=$with_securid;
+               if test "x$withval" != "xno" ; then
+                       saved_LIBS="$LIBS"
+                       LIBS="$LIBS libaceclnt.a -lpthread"
+                       { echo "$as_me:$LINENO: checking for libaceclnt.a and includes" >&5
+echo $ECHO_N "checking for libaceclnt.a and includes... $ECHO_C" >&6; }
+                       cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include "acexport.h"
+                                       SDI_HANDLE sd_dat;
+
+int
+main ()
+{
+AceInitialize(); SD_Init(&sd_dat);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+                                       { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+                                       cat >>confdefs.h <<\_ACEOF
+#define SECURID 1
+_ACEOF
+
+                                       cat >>confdefs.h <<\_ACEOF
+#define SECURID_NEW 1
+_ACEOF
+
+                                       SECURID_MSG="yes: 5.X+"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+                                       { { echo "$as_me:$LINENO: error: *** libaceclnt.a or includes missing" >&5
+echo "$as_me: error: *** libaceclnt.a or includes missing" >&2;}
+   { (exit 1); exit 1; }; }
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+               fi
+
+
+fi
+
+
+# Check whether --with-securid-old was given.
+if test "${with_securid_old+set}" = set; then
+  withval=$with_securid_old;
+               if test "x$withval" != "xno" ; then
+                       saved_LIBS="$LIBS"
+                       LIBS="$LIBS sdiclient.a"
+                       { echo "$as_me:$LINENO: checking for sdiclient.a and includes" >&5
+echo $ECHO_N "checking for sdiclient.a and includes... $ECHO_C" >&6; }
+                       cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include "sdi_athd.h"
+#include "sdconf.h"
+#include "sdacmvls.h"
+                                       struct SD_CLIENT sd_dat, *sd;
+                                       union config_record configure;
+
+int
+main ()
+{
+sd = &sd_dat; creadcfg(); sd_init(sd);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+         { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+         { ac_try='test -s conftest$ac_exeext'
+  { (case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_try") 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+                                       { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+                                       cat >>confdefs.h <<\_ACEOF
+#define SECURID 1
+_ACEOF
+
+                                       SECURID_MSG="yes: <= 4.X"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+
+                                       { { echo "$as_me:$LINENO: error: *** sdiclient.a or includes missing" >&5
+echo "$as_me: error: *** sdiclient.a or includes missing" >&2;}
+   { (exit 1); exit 1; }; }
+
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+               fi
+
+
+fi
+
+
-# Check whether user wants TCP wrappers support
-TCPW_MSG="no"
-
@@ -33407 +33596 @@
-echo "                   SELinux support: $SELINUX_MSG"
-echo "                 Smartcard support: $SCARD_MSG"
-echo "                     S/KEY support: $SKEY_MSG"
+echo "                   SecurID support: $SECURID_MSG"
-echo "              TCP Wrappers support: $TCPW_MSG"
-echo "              MD5 password support: $MD5_MSG"
-echo "                   libedit support: $LIBEDIT_MSG"

openssh-4.4p1/configure.ac

@@ -1079 +1079 @@
-        ]
-)
-
+SECURID_MSG="no"
+AC_ARG_WITH(securid,
+       [  --with-securid          Enable ACE 5.X+ SecurID support],
+       [
+               if test "x$withval" != "xno" ; then
+                       saved_LIBS="$LIBS"
+                       LIBS="$LIBS libaceclnt.a -lpthread"
+                       AC_MSG_CHECKING(for libaceclnt.a and includes)
+                       AC_TRY_LINK(
+                               [
+#include "acexport.h"
+                                       SDI_HANDLE sd_dat;
+                               ],
+                               [AceInitialize(); SD_Init(&sd_dat);],
+                               [
+                                       AC_MSG_RESULT(yes)
+                                       AC_DEFINE(SECURID)
+                                       AC_DEFINE(SECURID_NEW)
+                                       SECURID_MSG="yes: 5.X+" 
+                               ],
+                               [
+                                       AC_MSG_ERROR([*** libaceclnt.a or includes missing])
+                               ]
+                       )
+               fi
+       ]
+)
+AC_ARG_WITH(securid-old,
+       [  --with-securid-old      Enable SecurID 4.X and earlier SecurID support],
+       [
+               if test "x$withval" != "xno" ; then
+                       saved_LIBS="$LIBS"
+                       LIBS="$LIBS sdiclient.a"
+                       AC_MSG_CHECKING(for sdiclient.a and includes)
+                       AC_TRY_LINK(
+                               [
+#include "sdi_athd.h"
+#include "sdconf.h"
+#include "sdacmvls.h"
+                                       struct SD_CLIENT sd_dat, *sd;
+                                       union config_record configure;
+                               ],
+                               [sd = &sd_dat; creadcfg(); sd_init(sd);],
+                               [
+                                       AC_MSG_RESULT(yes)
+                                       AC_DEFINE(SECURID)
+                                       SECURID_MSG="yes: <= 4.X"
+                               ],
+                               [
+                                       AC_MSG_ERROR([*** sdiclient.a or includes missing])
+                               ]
+                       )
+               fi
+       ]
+)
+
-# Check whether user wants TCP wrappers support
-TCPW_MSG="no"
-AC_ARG_WITH(tcp-wrappers,
@@ -3965 +4021 @@
-echo "                   SELinux support: $SELINUX_MSG"
-echo "                 Smartcard support: $SCARD_MSG"
-echo "                     S/KEY support: $SKEY_MSG"
+echo "                   SecurID support: $SECURID_MSG"
-echo "              TCP Wrappers support: $TCPW_MSG"
-echo "              MD5 password support: $MD5_MSG"
-echo "                   libedit support: $LIBEDIT_MSG"

openssh-4.4p1/monitor.c

@@ -133 +133 @@
-int mm_answer_pwnamallow(int, Buffer *);
-int mm_answer_auth2_read_banner(int, Buffer *);
-int mm_answer_authserv(int, Buffer *);
+#ifdef SECURID
+int mm_answer_authsecurid(int, Buffer *);
+#endif
-int mm_answer_authpassword(int, Buffer *);
-int mm_answer_bsdauthquery(int, Buffer *);
-int mm_answer_bsdauthrespond(int, Buffer *);
@@ -206 +209 @@
-    {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
-    {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
-    {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+#ifdef SECURID
+    {MONITOR_REQ_AUTHSECURID, MON_AUTH, mm_answer_authsecurid},
+#endif
-#ifdef USE_PAM
-    {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-    {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
@@ -697 +703 @@
-        return (0);
-}
-
+#ifdef SECURID
+int
+mm_answer_authsecurid(int socket, Buffer *m)
+{
+       static int call_count;
+       char *passwd;
+       int authenticated;
+       /* Changed to u_int to conform with openssh JWM */
+       u_int plen;
+
+       passwd = buffer_get_string(m, &plen);
+       /* Only authenticate if the context is valid */
+       authenticated = 0;
+       if(options.securid_authentication && authctxt->valid) {
+               authenticated = auth_securid(authctxt, passwd);
+       /* Fixed fallback/nonsecurid JWM */
+               if(authenticated < 0) {
+                       if(options.password_authentication) {
+                               if(options.allow_nonsecurid || options.securid_fallback) {
+                                       debug2("Falling to password authentication.");
+                                       authenticated = auth_password(authctxt, passwd);
+                               } else {
+                                       authenticated = 0;
+                               }
+                       } else {
+                               authenticated = 0;
+                       }
+               }
+       }
+       memset(passwd, 0, strlen(passwd));
+       xfree(passwd);
+
+       buffer_clear(m);
+       buffer_put_int(m, authenticated);
+
+       debug3("%s: sending result %d", __func__, authenticated);
+       mm_request_send(socket, MONITOR_ANS_AUTHSECURID, m);
+
+       call_count++;
+       if (plen == 0 && call_count == 1)
+               auth_method = "none";
+       else
+               auth_method = "password";
+
+       /* Causes monitor loop to terminate if authenticated */
+       return (authenticated);
+}
+#endif
+
-int
-mm_answer_authpassword(int sock, Buffer *m)
-{

openssh-4.4p1/monitor.h

@@ -35 +35 @@
-        MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
-        MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
-        MONITOR_REQ_AUTHPASSWORD, MONITOR_ANS_AUTHPASSWORD,
+#ifdef SECURID
+        MONITOR_REQ_AUTHSECURID, MONITOR_ANS_AUTHSECURID,
+#endif
-        MONITOR_REQ_BSDAUTHQUERY, MONITOR_ANS_BSDAUTHQUERY,
-        MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND,
-        MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY,

openssh-4.4p1/monitor_wrap.c

@@ -282 +282 @@
-        buffer_free(&m);
-}
-
+#ifdef SECURID
+/* Do the securid authentication */
+int
+mm_auth_securid(Authctxt *authctxt, char *password)
+{
+       Buffer m;
+       int authenticated = 0;
+
+       debug3("%s entering", __func__);
+
+       buffer_init(&m);
+       buffer_put_cstring(&m, password);
+       mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHSECURID, &m);
+
+       debug3("%s: waiting for MONITOR_ANS_AUTHSECURID", __func__);
+       mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTHSECURID, &m);
+
+       authenticated = buffer_get_int(&m);
+
+       buffer_free(&m);
+
+       debug3("%s: user %sauthenticated",
+               __func__, authenticated ? "" : "not ");
+       return (authenticated);
+}
+#endif
+
-/* Do the password authentication */
-int
-mm_auth_password(Authctxt *authctxt, char *password)

openssh-4.4p1/monitor_wrap.h

@@ -43 +43 @@
-void mm_inform_authserv(char *, char *);
-struct passwd *mm_getpwnamallow(const char *);
-char *mm_auth2_read_banner(void);
+#ifdef SECURID
+int mm_auth_securid(struct Authctxt *, char *);
+#endif
-int mm_auth_password(struct Authctxt *, char *);
-int mm_key_allowed(enum mm_keytype, char *, char *, Key *);
-int mm_user_key_allowed(struct passwd *, Key *);

openssh-4.4p1/servconf.c

@@ -85 +85 @@
-        options->hostbased_uses_name_from_packet_only = -1;
-        options->rsa_authentication = -1;
-        options->pubkey_authentication = -1;
+#ifdef SECURID
+        options->securid_authentication = -1;
+        options->securid_fallback = -1;
+        options->allow_nonsecurid = -1;
+        options->negate_securid_users = -1;
+        options->securid_usersfile = NULL;
+        options->securid_ignore_shell = -1;
+#endif
-        options->kerberos_authentication = -1;
-        options->kerberos_or_local_passwd = -1;
-        options->kerberos_ticket_cleanup = -1;
@@ -194 +202 @@
-                options->rsa_authentication = 1;
-        if (options->pubkey_authentication == -1)
-                options->pubkey_authentication = 1;
+#ifdef SECURID
+        if (options->securid_authentication == -1)
+                options->securid_authentication = 1;
+        /* Fixed fallback and non-securid JWM */
+        if (options->securid_fallback == -1)
+                options->securid_fallback = 1;
+        if (options->allow_nonsecurid == -1)
+                options->allow_nonsecurid = 1;
+        if (options->negate_securid_users == -1) 
+                options->negate_securid_users = 0;
+        if (options->securid_ignore_shell == -1)
+                options->securid_ignore_shell = 0;
+#endif
-        if (options->kerberos_authentication == -1)
-                options->kerberos_authentication = 0;
-        if (options->kerberos_or_local_passwd == -1)
@@ -274 +295 @@
-        sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
-        sPermitRootLogin, sLogFacility, sLogLevel,
-        sRhostsRSAAuthentication, sRSAAuthentication,
+#ifdef SECURID
+        sSecurIDAuthentication, sSecurIDFallBack, sAllowNonSecurID,
+        sNegateSecurIDUsers, sSecurIDUsersFile, sSecurIDIgnoreShell,
+#endif
-        sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
-        sKerberosGetAFSToken,
-        sKerberosTgtPassing, sChallengeResponseAuthentication,
@@ -323 +348 @@
-        { "keyregenerationinterval", sKeyRegenerationTime, SSHCFG_GLOBAL },
-        { "permitrootlogin", sPermitRootLogin, SSHCFG_GLOBAL },
-        { "syslogfacility", sLogFacility, SSHCFG_GLOBAL },
+#ifdef SECURID
+        { "securidauthentication", sSecurIDAuthentication },
+        { "securidfallback", sSecurIDFallBack },
+        { "allownonsecurid", sAllowNonSecurID },
+        { "negatesecuridusers", sNegateSecurIDUsers },
+        { "securidusersfile", sSecurIDUsersFile },
+        { "securidignoreshell", sSecurIDIgnoreShell },
+#endif
-        { "loglevel", sLogLevel, SSHCFG_GLOBAL },
-        { "rhostsauthentication", sDeprecated, SSHCFG_GLOBAL },
-        { "rhostsrsaauthentication", sRhostsRSAAuthentication, SSHCFG_GLOBAL },
@@ -828 +861 @@
-                        *intptr = value;
-                break;
-
+#ifdef SECURID
+        case sSecurIDAuthentication:
+                intptr = &options->securid_authentication;
+                goto parse_flag;
+
+        case sSecurIDFallBack:
+                intptr = &options->securid_fallback;
+                goto parse_flag;
+
+        case sAllowNonSecurID:
+                intptr = &options->allow_nonsecurid;
+                goto parse_flag;
+
+        case sNegateSecurIDUsers:
+                intptr = &options->negate_securid_users;
+                goto parse_flag;
+
+        case sSecurIDUsersFile:
+                charptr = &options->securid_usersfile;
+                goto parse_filename;
+
+        case sSecurIDIgnoreShell:
+                intptr = &options->securid_ignore_shell;
+                goto parse_flag;
+#endif
-        case sIgnoreUserKnownHosts:
-                intptr = &options->ignore_user_known_hosts;
-                goto parse_flag;

openssh-4.4p1/servconf.h

@@ -88 +88 @@
-                                                 * authenticated with Kerberos. */
-        int     gss_authentication;     /* If true, permit GSSAPI authentication */
-        int     gss_cleanup_creds;      /* If true, destroy cred cache on logout */
+#ifdef SECURID
+        int     securid_authentication; /* If set, use securid */
+        int     securid_fallback;       /* If set, allow normal passwords
+                                           is master/slave are not accessible */
+        int     allow_nonsecurid;       /* If set, allow nonsecurid users
+                                           logins via other means (e.g. PAM) */
+        int     negate_securid_users;   /* If set, securid_usersfile is used
+                                           to determine who _doesn't_ get
+                                           authed via SecurID */
+        char   *securid_usersfile;      /* If set, only users in the file
+                                           will authenticate via SecurID
+                                           The shell need not be .../sdshell */
+        int     securid_ignore_shell;   /* If true, use the shell in /etc/passwd
+                                           instead of the shell proposed by
+                                           the ACE server. */
+#endif
-        int     password_authentication;        /* If true, permit password
-                                                 * authentication. */
-        int     kbd_interactive_authentication; /* If true, permit */

openssh-4.4p1/sshd_config.0

@@ -52 +52 @@
-             curity unless users are also denied shell access, as they can al-
-             ways install their own forwarders.
-
+     AllowNonSecurID
+             This will allow users that do not meet the SecurID login activa-
+             tion requirements (not in the SecurIDUsersFile or do not have a
+             shell ending with sdshell, if the SecurIDUsersFile option is used
+             or is omitted, respectively) to still log in using another
+             authentication method (e.g. PAM or passwd.)
+
-     AllowUsers
-             This keyword can be followed by a list of user name patterns,
-             separated by spaces.  If specified, login is allowed only for us-
@@ -315 +322 @@
-             creases linearly and all connection attempts are refused if the
-             number of unauthenticated connections reaches ``full'' (60).
-
+     NegateSecurIDUsers
+             Negates the meaning of the SecurIDUsers file.  Users in this file
+             will not require SecurID auth, but all others will.  The
+             default is ``no''.
+
-     PasswordAuthentication
-             Specifies whether password authentication is allowed.  The de-
-             fault is ``yes''.
@@ -409 +421 @@
-             fault is ``yes''.  This option applies to protocol version 1 on-
-             ly.
-
+     SecurIDAuthentication
+             Specifies whether SecurID authentication is allowed.  The default
+             is ``yes''.  SecurID authentication is enabled in both PAM and
+             PasswordAuthentication modes.
+
+             NOTES:  After you enter your SecurID passcode, SecurID may choose
+             to ask for the next code on your token.  To handle this event
+             without modifying the SSH client, the actual information that
+             sshd is asking for is passed in the debugging messages.  If your
+             login attempts fail, try sshing with -v and you can see if it is
+             asking for your passcode or for the next token.
+
+     SecurIDFallBack
+             Specifies whether SecurID user logins will fallback to their
+             to an underlying form (PAM/PaswordAuthentication) if the SecurID
+             server is unavailable or the machine is not configured correctly.
+
+     SecurIDIgnoreShell
+             Specifies whether sshd will respect the ACE server's propsed user
+             shell.  The default is ``no''.  If yes, then the shell in
+             /etc/passwd will be used instead, eliminating the need for a
+             /path/to/ace/prog/sdshell style shell.  This option only makes
+             sense when using the SecurIDUsersFile option.
+
+             NOTES: If the SecurIDIgnoreShell option is set to ``yes'', then the
+             shell in /etc/passwd will be used in place of the shell proposed
+             by the ACE server -- allowing a user to have different shells on
+             different machines.  In conjunction with SecurIDIgnoreShell, this
+             can force sshd to use SecurID while other system authentications
+             use alternative methods without the complication of having sdshell
+             as the user's default shell.
+
+     SecurIDUsersFile
+             The argument a filename that contains usernames that are to be
+             authenticated via SecurID.  By default this option is unset and
+             users will only be authenticated if their shell ends with sdshell
+
-     ServerKeyBits
-             Defines the number of bits in the ephemeral protocol version 1
-             server key.  The minimum value is 512, and the default is 768.

openssh-4.4p1/sshd_config.5

@@ -116 +116 @@
-in
-.Xr ssh_config 5
-for more information on patterns.
+.It Cm AllowNonSecurID
+This will allow users that do not meet the SecurID login 
+activation requirements (not in the SecurIDUsersFile or do not 
+have a shell ending with sdshell, if the SecurIDUsersFile option
+is used or is omitted, respectively) to still log in using another
+authentication method (e.g. PAM or passwd.)
+.Pp
-.It Cm AllowTcpForwarding
-Specifies whether TCP forwarding is permitted.
-The default is
@@ -551 +558 @@
-are refused if the number of unauthenticated connections reaches
-.Dq full
-(60).
+.It Cm NegateSecurIDUsers
+Negates the meaning of the SecurIDUsers file.  Users in this file
+will not require SecurID auth, but all others will.
+The default is
+.Dq no .
-.It Cm PasswordAuthentication
-Specifies whether password authentication is allowed.
-The default is
@@ -714 +726 @@
-The default is
-.Dq yes .
-This option applies to protocol version 1 only.
+.It Cm SecurIDAuthentication
+Specifies whether SecurID authentication is allowed.  The default
+is ``yes''.  SecurID authentication si enabled in both PAM and
+PasswordAuthentication modes.
+.Dq yes .
+NOTES: After you enter your SecurID passcode, SecurID may choose
+to ask for the next code on your token.  To handle this event
+without modifying the SSH client, the actual information that
+sshd is asing for is passed in the debugging messages.  If your
+login attempts fail, try sshing with -v and you can see if it is
+asking for your passcode or for the next token.
+.It Cm SecurIDFallBack
+Specifies whether SecurID user logins will fallback to their
+to an underlying form (PAM/PaswordAuthentication) is the SecurID
+server is unavailable or the machine is not configured correctly.
+.It Cm SecurIDIgnoreShell
+Specifies whether sshd will respect the ACE server's propsed user
+shell.  The default is ``no''.  If yes, then the shell in
+/etc/passwd will be used instead, eliminating the need for a
+/path/to/ace/prog/sdshell style shell.  This option only makes
+sense when using the SecurIDUsersFile option.
+.Dq no .
+NOTES: If the SecurIDIgnoreShell option is set to ``yes'', then the       
+shell in /etc/passwd will be used in place of the shell proposed
+by the ACE server -- allowing a user to have different shells on
+different machines.  In conjunction with SecurIDIgnoreShell, this
+can force sshd to use SecurID while other system authentications
+use alternative methods without the complication of having sdshell
+as the user's default shell.
+.It Cm SecurIDUsersFile
+The argument a filename that contains usernames that are to be
+authenticated via SecurID.  By default this option is unset and
+users will only be authenticated if their shell ends with sdshell.
-.It Cm ServerKeyBits
-Defines the number of bits in the ephemeral protocol version 1 server key.
-The minimum value is 512, and the default is 768.