SecureID and Linux? 13
mr.smart asks: "I've managed to talk the bosses into letting me use Linux at work, but we use secure id token cards on our e450's and they want me to use them on the Linux boxes, too. The question: is there a way to use SecureID tokens with Linux... is there a PAM module or something? I've been looking around and I haven't found anything... "
expect script for SecurID dialup (Score:1)
#!/usr/bin/expect -f
set modem
set countermax 10
set speed 115200
## help text for user; numbers elided, and a big wodge of other PoPs removed
send_user "\n"
send_user "PoP DIAL-IN NUMBERS:\n"
send_user "\n"
send_user "Toll-free: UK only: 0800 xxx xxxx/xxxx
USA only: 800 xxx xxx\n"
send_user "Pay: UK: +44 (0)20 7 xxxxxxx/xxxxxxx New York: +1 212 xxx xxxx/xxxx\n"
send_user "\n"
send_user " +----------+\n"
send_user " SHORT-CUTS: | 1 | -- UK toll-free numbers\n"
send_user " +----------+\n"
send_user " | 2 3 | -- UK pay\n"
send_user " +----------+\n"
send_user "\n"
send_user "Enter a shortcut or a number to dial:\n> "
set timeout -1
expect_user {
-re "^0?\n" { # UK toll-free
set dialup 0800-xxx-xxxx
}
-re "^1\n" { # UK toll-fre
set dialup 0800-xxx-xxxx
}
-re "^2\n" { # UK pay
set dialup 020-7-xxxxxxx
}
-re "^3\n" { # UK pay
set dialup 020-7-xxxxxxx
}
-re "(.*)\n" {
set dialup $expect_out(buffer)
}
}
set timeout 60
send_user "Using PoP dial-in: $dialup\n"
send_user "Dialling: "
#system "setserial -av $modem autoconfig"
system "stty $speed -echoe -echo raw $modem"
spawn -noecho -open [open $modem "r+"]
send "AT\r"
expect "OK"
#send "ATS10=255&F&C1&D2&K3W1\r"
#expect "OK"
#send "ATM1L3S7=60S11=55S0=0\r"
#expect "OK"
send "ATDT $dialup\r"
set timeout 30
set counter 0
set still_connecting 1
expect {
-re ".*CONNECT.*(\r|\n)" {
set timeout 2
set still_connecting 0
sleep 1
send "\r"
exp_continue
}
-re "BUSY" {
send_user " BUSY: try again later, or try a different number.\n"
exit
}
-re "VOICE" {
send_user " VOICE: aborting.\n"
exit
}
-re ".*NO.*CARRIER" {
send_user " NO CARRIER: aborting.\n"
exit
}
-re ".*NO.*DIAL.*TONE" {
send_user " no dialtone: aborting.\n"
exit
}
-re "Login name:" {
set timeout -1
expect_user -re "(.*)\n"
send "$expect_out(1,string)\r"
set timeout 5
exp_continue
}
-re "Passcode:" {
set timeout -1
expect_user -re "(.*)\n"
send "$expect_out(1,string)\r"
set timeout 30
exp_continue
}
-re "Entering PPP Mode\." {
sleep 3
}
timeout {
if { $still_connecting > 0 } {
send_user "Still trying to connect...\n"
exp_continue
}
incr counter
send_user "Timeout number $counter of $countermax.\n"
send "\r"
if { $counter > $countermax } {
send_user "Giving up.\n"
exit
} else {
send_user "... "
exp_continue
}
}
}
send_user "Running pppd...\n"
overlay -0
call db
--
W.A.S.T.E.
possibly TACACS, Radius gateway (Score:1)
Re:What terminal window? (Score:1)
What terminal window? (Score:1)
Of course this assumes that he wants to use linux as his home dialup machine. Since the question reffered to using SecureID on Sun 450s and mentions PAM I doubt this is the case. He's probably asking how to get Linux to require SecureID logins. In this case Linux _is_ the server and it does need to be able to validate SecureID passwords.
I've got a telnet solution, not an X solution.... (Score:1)
Re:Just need a enhanced PPP authentication script (Score:1)
- Mike
#!/usr/bin/expect -f
#
# This script was written by Jim Isaacson . It is
# designed to work as a script to use the SecureCARD(tm) device. This
# little device is mated with a central controller. The number displayed
# on this card changes every so often and you need to enter the number
# along with your user account name in order to gain access. Since chat
# is based upon fixed strings this procedure will not work with chat.
#
# It is included by permission. An excellent reference for the expect
# program used by this script is in the book:
#
# "Exploring Expect"
# by Don Libes
# Published by O'Rielly and Associates
#
send_user "hello, starting ppp\n"
system "stty 57600 -echoe -echo raw
#
# These are the parameters for the program.
#
set user myname
set password xxxxxxx
set modem
set dialup tphone-number
set timeout 60
spawn -noecho -open [open $modem "r+"]
send "AT\r"
expect "OK"
send "ATDT $dialup\r"
set timeout 15
set counter 0
set still_connecting 1
expect {
-re ".*CONNECT.*\n" {
set timeout 5
set still_connecting 0
exp_continue
}
-re ".*CONNECT.*\r" {
set timeout 5
set still_connecting 0
exp_continue
}
# -re ".*NO.*CARRIER" {
# send_user "Failed to Connect (1), exiting...\n"
# exit
# }
-re ".*NO.*DIAL.*TONE" {
send_user "Failed to Connect (2), exiting...\n"
exit
}
-re ".*VOICE" {
send_user "Failed to Connect (3), exiting...\n"
exit
}
-re ".*sscode:.*\n" {
exp_continue
}
-re ".*sscode:" {
set timeout -1
expect_user -re "(.*)\n"
send "$expect_out(1,string)\r"
set timeout 30
exp_continue
}
-re ".*PASSCODE:" {
set timeout -1
expect_user -re "(.*)\n"
send "$expect_out(1,string)\r"
set timeout 60
exp_continue
}
-re "Your.*" {
send "\r"
exp_continue
}
-re "Command:" {
send "ppp\r"
}
-re ".*username:" {
send "$user\r"
exp_continue
}
timeout {
if { $still_connecting > 0 } {
exp_continue
}
set timeout 15
send "\r"
incr counter
if { $counter > 8 } {
send_user "Cannot Connect\n"
exit
} else {
exp_continue
}
}
}
overlay -0 $spawn_id -1 $spawn_id
crtscts modem defaultroute debug
Just need a enhanced PPP authentication script (Score:2)
- Mike
SecurID (Score:2)
a user dials into the remote network using regular ppp dialup, but usually the entire pool of users will use the same username/pass to get in (at our company, it's "user" with no password). At that point, the ppp client will run a script maybe... or at least open a terminal window. It's in this terminal window that you enter your securID ID, followed by your PIN + the code on the securID card at that moment. There's no encryption or anything at all. Theoretically, there doesn't have to be since that number showing on the card is unique to that moment in time. So if anybody DOES sniff it, they've only got a window of a few seconds to try to use it somewhere else.
So yes, you certainly CAN use SecureID with Linux. I did it last year with no problem. We dial into old IBM 8235 RAS boxes, but all of them probably act similarly. Look at what scripts may be being called by DUN on your windows-using coworker's machines for hints.
secureID (Score:2)
there is a securid pam module (Score:3)
See http://www.kernel.org/pub/linux/libs/pam/modules.h tml . On that page there are also links to Radius and TACACS+ PAMs. Additionally http://www.livingston.com/tech/docs/radius/introdu cing.html talks about radius->securid gateways.
I would use preview if /. didn't cause netscape to crash 40% of the time.