From owner-freebsd-questions@FreeBSD.ORG Thu Mar 10 18:46:01 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2F1416A4CE for ; Thu, 10 Mar 2005 18:46:01 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 164DC43D5A for ; Thu, 10 Mar 2005 18:46:01 +0000 (GMT) (envelope-from jeff.wirth@gmail.com) Received: by rproxy.gmail.com with SMTP id c51so492984rne for ; Thu, 10 Mar 2005 10:46:00 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=m66r8n1LAtAlHh7vmIH5KAqcqZ3HhdxZN9PmjUMjKXX9jRB1eNdOWzv6berUy+rocreh9zIO2xIB9m+VubLrPsCenBj/YAwKQQKgwJ0bg2jmIdVK3lmc1US4gZbrm3WVnW3xVqA3dg6bQ2G7nU4kJsh008T43oB6RYYhsRD2q70= Received: by 10.38.88.22 with SMTP id l22mr2114180rnb; Thu, 10 Mar 2005 10:46:00 -0800 (PST) Received: by 10.38.181.68 with HTTP; Thu, 10 Mar 2005 10:46:00 -0800 (PST) Message-ID: <5d2cf6920503101046755e891b@mail.gmail.com> Date: Thu, 10 Mar 2005 13:46:00 -0500 From: Jeff Wirth To: freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: FreeBSD and RSA SecurID Authentication X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Jeff Wirth List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Mar 2005 18:46:01 -0000 List, This post is really for archival purposes in the event that someone else is looking into centralized authentication with RSA SecurID and FreeBSD (or any other *nix platform for that matter).. The organization I currently work for has a large ($$$) investment in RSA SecurID (for VPN use mainly) and like most technology deployments around here it is not used to it's full capability. With the onset of SOX and the like, password use/policy/management has become a rather large headache. So for us, SecurID made sense (at least in theory): centralized, one time passwords. ( Yes, I know there are other options for centralized Unix account administration, but to this point we have only used local accounts and some SecurID. And our goal was to leverage existing infrastructure. ) Our Unix environment, in a phrase: "you build it, we'll run it". So it was off to RSA to see what agents/clients are currently available. Now we've be running older versions, in a limited capacity, of the RSA agents for some time (sdshell: a shell that requires SecurID authentication), but the support is limited (HP-UX, Solaris, AIX). Then I noticed an available PAM module, joy! But the joy was short lived, it only supports Solaris and RHE Linux. So, when all else fails you head to google... What I found was a lot of people in the same boat (on various platforms). I found a few possible solutions, but not anything I felt confident about. So back to square one. Then I remembered that our VPN environment uses SecurID, but via RADIUS. Ahhh... Knowing that FreeBSD already had a RADIUS PAM module, it was my first test platform (5.3). Once everything was configured it worked like a charm. Now for the rest of the environment... Linux: Not a Problem (most distros come with the FreeRadius PAM module), Solaris: Used PAM module from FreeRadius, HP-UX: Also used module from FreeRadius (it was a bear to get compiled), AIX: Haven't gotten to this one yet, but I have my fingers crossed ;-). Everything at this point appears to work well and the best part is that the solution/setup is the same for all! A 'very quick' overview of the configuration... 1 - A RSA ACE Server running and configured with RADIUS (currently runs on Solaris/HP-UX and WIndows?) 2 - A client server with a Radius PAM Module 3 - Create a 'Shared Secret'. 4 - Configure the RSA ACE/RADIUS server and the client server with 'shared secret'. (PAM module uses /etc/radius.conf for 'shared secret', servername, etc) 5 - Configure PAM/sshd (or whatever PAM aware services) to require RADIUS authentication 6 - Configure your local users. (local username must be there SecurID username) here are some links... http://www.freeradius.org/ http://www.freeradius.org/pam_radius_auth/ http://www.faqs.org/rfcs/rfc2865.html http://www.rsasecurity.com/ (limited documentation here, it's all on the install cd's) ... and of course various local manpages. A quick note on security... RADIUS is not the most secure protocol out there. As a matter a fact data is hidden via a md5 hash. (more details: http://www.faqs.org/rfcs/rfc2865.html ). But our feeling was since it's SecurID and the generated passcode is only used one time, the risk is acceptable/minimal! (better then a lame password any day ;-) HTH -jw