[NBLUG/talk] RSA SecurID Tokens (and openldap for ssh rsa keys)

Jacob Appelbaum jake at nblug.org
Fri Mar 2 15:34:02 PST 2007 

Hi *,

I'm interested in using RSA SecurID tokens with Ubuntu 6.06LTS. This 
version of Ubuntu uses OpenSSH version 4.2p1-7ubuntu3. I already have an 
RSA Ace server running on another system (RHEL), so this system merely 
needs to auth against that ACE server.

I found a seemingly useful patch that allows for authentication for this 
version of OpenSSH:
http://sweb.cz/v_t_m/#securid

I also found another project that provides a patch. It looks promising 
as it appears to support newer versions of OpenSSH:
http://omniti.com/~jesus/projects/
http://omniti.com/~jesus/projects/openssh-4.5p1+SecurID_v1.3.2.patch
http://www.joerg.cc/cgi-bin/wiki.pl?MySecurID-page
http://freshmeat.net/projects/opensshsecurid/

I've also read about a person using PAM with Radius 
(http://lists.freebsd.org/pipermail/freebsd-questions/2005-March/080198.html) 
to talk to the ACE server but I haven't any experience with it beyond 
that single email.

It's also seemingly supported in the ssh.com version of ssh. This isn't 
very useful though, I don't want to use the commercial version of ssh. 
Just for the sake of being complete, I'll include the link for it anyway:
http://ssh.com/support/documentation/online/ssh/adminguide/51/userauth-kbi-securid.html

I'm interested in using one of the two but I'm not sure which is the 
best. Surely someone here has implemented RSA SecurID and integrated it 
with OpenSSH. I imagine though they've done it with RHEL and while I'm 
trying to do it with Ubuntu or Debian, any experience would be helpful 
to hear about!

In a different but semi-related patch, I've been interested in having a 
central way of storing ssh rsa keys (the ones that go in 
authorized_keys). It's not really plausible to manage keys on 100s of 
systems without having a way to revoke them in a single go. It turns out 
that I'm not the only one that has wanted this and someone kind wrote a 
patch that allows for integration with LDAP:
http://blog.fupps.com/2006/03/02/ssh-public-keys-from-ldap/
http://dev.inversepath.com/trac/openssh-lpk
http://freshmeat.net/projects/lpk/

The combination of these patches might be a problem, I'm not sure. I 
haven't tried to build OpenSSH with either yet. It does seem like a 
really great way to have a central authority with the flexibility of 
having either a hardware token or an ssh-key.

If anyone has any experience with any of this, I'd love to pick your 
brain. If not, I guess I'll report back with more of my findings in the 
future. Hopefully with some packages that are useful for other people in 
need of these types of authentication.

Regards,
Jacob Appelbaum

More information about the talk mailing list