SecureID and Linux?

mr.smart asks: "I've managed to talk the bosses into letting me use Linux at work, but we use secure id token cards on our e450's and they want me to use them on the Linux boxes, too. The question: is there a way to use SecureID tokens with Linux... is there a PAM module or something? I've been looking around and I haven't found anything... "

Just need a enhanced PPP authentication script

[Mike+Miller]

I actually use a SecureID card to access my work machines (looks like a credit card calculator, supplies random 6-digit numbers). It took a bit of hunting through the PPP documentation, but they did have a good example. I can post it or email it to people if that would be helpful. My only complaint with it is that it shows the characters as you type, which is bad since our system has a PIN + SecureID# kind of pairing. It's pretty decent security though... somthing you know and something you have. Two out of three ain't bad.

- Mike

SecurID

[z84976]

Bubbasatan's right. In general, SecurID doesn't require ANYTHING on the client workstation, really. Usually, here's how it works:

a user dials into the remote network using regular ppp dialup, but usually the entire pool of users will use the same username/pass to get in (at our company, it's "user" with no password). At that point, the ppp client will run a script maybe... or at least open a terminal window. It's in this terminal window that you enter your securID ID, followed by your PIN + the code on the securID card at that moment. There's no encryption or anything at all. Theoretically, there doesn't have to be since that number showing on the card is unique to that moment in time. So if anybody DOES sniff it, they've only got a window of a few seconds to try to use it somewhere else.

So yes, you certainly CAN use SecureID with Linux. I did it last year with no problem. We dial into old IBM 8235 RAS boxes, but all of them probably act similarly. Look at what scripts may be being called by DUN on your windows-using coworker's machines for hints.

secureID

[bubbasatan]

I don't think that the SecureID system uses anything special on the client side. The authentication it uses is done entirely on the server side. Any PPP which uses clear text authentication should be able to be authenticated if the server is set for clear text. As far as encrypted authentication, I don't really know what SecurID uses. Basically, you should be able to set up a PPP which sends your userid and SecureID to the dialin box doing the authentication. You might want to script it so that you get a field to put the time-decay token into, but that should really be about it. I don't know what you are using as far as network type goes, but you should at least be able to authenicate to the dialin box. Hope this helps. If you are using something like VPN, it might use the IPSEC stuff. I have some Linux config info for that. If you are interested, post a reply and I'll pass that info along.

there is a securid pam module

[embobo]

See http://www.kernel.org/pub/linux/libs/pam/modules.h tml . On that page there are also links to Radius and TACACS+ PAMs. Additionally http://www.livingston.com/tech/docs/radius/introdu cing.html talks about radius->securid gateways.

I would use preview if /. didn't cause netscape to crash 40% of the time.