[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: using one time passwords with conserver?

Christopher Fowler cfowler@outpostsentinel.com
Sun, 23 Jul 2006 10:27:00 -0700 (PDT)

How does SecureID work with conserver?  Does the console client ask for
the number on the card?

On Sun, 2006-07-23 at 09:03 -0700, Bryan Stansell wrote:
> hmm...well, that's kinda tricky.  the issue is that there are multiple
> conserver process that the client talks to (the master, then the actual
> one managing the console - in the simplest form).  the client actually
> caches the password so that it can re-authenticate with the extra
> processes without harassing the user.  in your case, you should be
> getting multiple password requests, right?  you'd authenticate with the
> first, conserver would try and re-use the password with the second,
> fail, and then ask for the current password.
> removing the need for multiple passwords *might* be possible.  i could
> see removing the need for authenticating against the master
> process...just have it skip password stuff (which means removing a few
> lines of code) and let the user authenticate once against the process
> managing the console.  this would allow folks to gather data...so not
> something i'd do for the general release (well, maybe as an option), but
> you may not like that either.
> another possibility is to setup a "console" host that does nothing but
> allow folks to access conserver (it could even be the same box).  when a
> user logs in, instead of a shell, you get a console command that
> attaches to some pre-determined console.  how does this help?  well, you
> turn off all authentication in conserver and can assume that anyone
> attaching has already authenticated with the host, so they should be who
> they say they are.  and, actually, you could create a "noop" console
> that they all fall into by default, and then they just need to use
> "^ec;" to switch to another console.  kinda different, but doable, in my
> opinion.  it's not a 100% solution, but it's close (in addition i'd say
> they should all be "limited" users (in conserver.cf terms), but then you
> wouldn't be able to switch consoles).
> aside from that, i'm not sure what else to offer.
> Bryan
> On Fri, Jul 21, 2006 at 08:28:16AM -0400, Josh Lothian wrote:
> > We're using RSA SecurID fobs here for all sorts of authentication.  We'd
> > like to use them with conserver via PAM.  However, looking at the logs,
> > it seems like conserver is trying to authenticate twice in quick
> > succession.  The first one succeeds, but the second one fails - hence
> > the "one time" password.  Any way to disable this?  
> > 
> > -jkl
> > _______________________________________________
> > users mailing list
> > users@conserver.com
> > https://www.conserver.com/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users