SecureID and Linux?

mr.smart asks: "I've managed to talk the bosses into letting me use Linux at work, but we use secure id token cards on our e450's and they want me to use them on the Linux boxes, too. The question: is there a way to use SecureID tokens with Linux... is there a PAM module or something? I've been looking around and I haven't found anything... "

expect script for SecurID dialup

[robin]

I use this script to dial up to work with a SecurID card; it prompts for the number at the appropriate point. I guess I could hook in a little dialog box, but I'm cool with typing into an XTerm. Probably horribly mangled by /., but hey maybe it'll give you some ideas.

#!/usr/bin/expect -f
set modem /dev/modem
set countermax 10
set speed 115200

## help text for user; numbers elided, and a big wodge of other PoPs removed
send_user "\n"
send_user "PoP DIAL-IN NUMBERS:\n"
send_user "\n"
send_user "Toll-free: UK only: 0800 xxx xxxx/xxxx
USA only: 800 xxx xxx\n"
send_user "Pay: UK: +44 (0)20 7 xxxxxxx/xxxxxxx New York: +1 212 xxx xxxx/xxxx\n"
send_user "\n"
send_user " +----------+\n"
send_user " SHORT-CUTS: | 1 | -- UK toll-free numbers\n"
send_user " +----------+\n"
send_user " | 2 3 | -- UK pay\n"
send_user " +----------+\n"
send_user "\n"
send_user "Enter a shortcut or a number to dial:\n> "

set timeout -1
expect_user {
-re "^0?\n" { # UK toll-free
set dialup 0800-xxx-xxxx
}
-re "^1\n" { # UK toll-fre
set dialup 0800-xxx-xxxx
}
-re "^2\n" { # UK pay
set dialup 020-7-xxxxxxx
}
-re "^3\n" { # UK pay
set dialup 020-7-xxxxxxx
}
-re "(.*)\n" {
set dialup $expect_out(buffer)
}
}

set timeout 60
send_user "Using PoP dial-in: $dialup\n"
send_user "Dialling: "

#system "setserial -av $modem autoconfig"
system "stty $speed -echoe -echo raw $modem"
spawn -noecho -open [open $modem "r+"]

send "AT\r"
expect "OK"
#send "ATS10=255&F&C1&D2&K3W1\r"
#expect "OK"
#send "ATM1L3S7=60S11=55S0=0\r"
#expect "OK"
send "ATDT $dialup\r"

set timeout 30
set counter 0
set still_connecting 1

expect {
-re ".*CONNECT.*(\r|\n)" {
set timeout 2
set still_connecting 0
sleep 1
send "\r"
exp_continue
}
-re "BUSY" {
send_user " BUSY: try again later, or try a different number.\n"
exit
}
-re "VOICE" {
send_user " VOICE: aborting.\n"
exit
}
-re ".*NO.*CARRIER" {
send_user " NO CARRIER: aborting.\n"
exit
}
-re ".*NO.*DIAL.*TONE" {
send_user " no dialtone: aborting.\n"
exit
}

-re "Login name:" {
set timeout -1
expect_user -re "(.*)\n"
send "$expect_out(1,string)\r"
set timeout 5
exp_continue
}
-re "Passcode:" {
set timeout -1
expect_user -re "(.*)\n"
send "$expect_out(1,string)\r"
set timeout 30
exp_continue
}
-re "Entering PPP Mode\." {
sleep 3
}

timeout {
if { $still_connecting > 0 } {
send_user "Still trying to connect...\n"
exp_continue
}
incr counter
send_user "Timeout number $counter of $countermax.\n"
send "\r"
if { $counter > $countermax } {
send_user "Giving up.\n"
exit
} else {
send_user "... "
exp_continue
}
}
}

send_user "Running pppd...\n"
overlay -0 /dev/null -1 $spawn_id -2 $spawn_id /usr/sbin/pppd $modem $speed \
call db


--
W.A.S.T.E.

possibly TACACS, Radius gateway

[embobo]

It may be possible to setup a TACACS or Radius gateway to the SecurID server and use a linux PAM TACACS or Radius module. Then again, it may not.

Re:What terminal window?

[GrenDel Fuego]

I'm not quite certain how to do it in a chat script, but if you're using X, there are several utilities you can download that will do this for you. Just go to freshmeat, and search for PPP. Otherwise, if you have KDE, KPPP is pretty good.

What terminal window?

[Paul Carver]

I thought that the password had to be hard coded into the chat script that you use to call pppd. How do you manage to get it to prompt for input?

Of course this assumes that he wants to use linux as his home dialup machine. Since the question reffered to using SecureID on Sun 450s and mentions PAM I doubt this is the case. He's probably asking how to get Linux to require SecureID logins. In this case Linux _is_ the server and it does need to be able to validate SecureID passwords.

I've got a telnet solution, not an X solution....

[Ark]

If you're just using telnet, you can use the SCO version of sdshell under Linux using IBCS. (I've done this.) Basically, you login authing agaist /etc/passwd and then sdshell does the secureID auth before kicking off your real shell. Unfortunately, this doesn't work for X....

Re:Just need a enhanced PPP authentication script

[Mike Miller]

Sorry for the delay. Here's the script.

- Mike

#!/usr/bin/expect -f
#
# This script was written by Jim Isaacson . It is
# designed to work as a script to use the SecureCARD(tm) device. This
# little device is mated with a central controller. The number displayed
# on this card changes every so often and you need to enter the number
# along with your user account name in order to gain access. Since chat
# is based upon fixed strings this procedure will not work with chat.
#
# It is included by permission. An excellent reference for the expect
# program used by this script is in the book:
#
# "Exploring Expect"
# by Don Libes
# Published by O'Rielly and Associates
#

send_user "hello, starting ppp\n"

system "stty 57600 -echoe -echo raw /dev/ttyS1"

#
# These are the parameters for the program.
#
set user myname
set password xxxxxxx
set modem /dev/ttyS1
set dialup tphone-number
set timeout 60

spawn -noecho -open [open $modem "r+"]

send "AT\r"
expect "OK"

send "ATDT $dialup\r"
set timeout 15
set counter 0

set still_connecting 1

expect {
-re ".*CONNECT.*\n" {
set timeout 5
set still_connecting 0
exp_continue
}
-re ".*CONNECT.*\r" {
set timeout 5
set still_connecting 0
exp_continue
}
# -re ".*NO.*CARRIER" {
# send_user "Failed to Connect (1), exiting...\n"
# exit
# }
-re ".*NO.*DIAL.*TONE" {
send_user "Failed to Connect (2), exiting...\n"
exit
}
-re ".*VOICE" {
send_user "Failed to Connect (3), exiting...\n"
exit
}
-re ".*sscode:.*\n" {
exp_continue
}
-re ".*sscode:" {
set timeout -1
expect_user -re "(.*)\n"
send "$expect_out(1,string)\r"
set timeout 30
exp_continue
}
-re ".*PASSCODE:" {
set timeout -1
expect_user -re "(.*)\n"
send "$expect_out(1,string)\r"
set timeout 60
exp_continue
}
-re "Your.*" {
send "\r"
exp_continue
}
-re "Command:" {
send "ppp\r"
}
-re ".*username:" {
send "$user\r"
exp_continue
}

timeout {
if { $still_connecting > 0 } {
exp_continue
}
set timeout 15
send "\r"
incr counter
if { $counter > 8 } {
send_user "Cannot Connect\n"
exit
} else {
exp_continue
}
}
}

overlay -0 $spawn_id -1 $spawn_id /usr/sbin/pppd /dev/ttyS1 57600 \
crtscts modem defaultroute debug

Just need a enhanced PPP authentication script

[Mike Miller]

I actually use a SecureID card to access my work machines (looks like a credit card calculator, supplies random 6-digit numbers). It took a bit of hunting through the PPP documentation, but they did have a good example. I can post it or email it to people if that would be helpful. My only complaint with it is that it shows the characters as you type, which is bad since our system has a PIN + SecureID# kind of pairing. It's pretty decent security though... somthing you know and something you have. Two out of three ain't bad.

- Mike

SecurID

[z84976]

Bubbasatan's right. In general, SecurID doesn't require ANYTHING on the client workstation, really. Usually, here's how it works:

a user dials into the remote network using regular ppp dialup, but usually the entire pool of users will use the same username/pass to get in (at our company, it's "user" with no password). At that point, the ppp client will run a script maybe... or at least open a terminal window. It's in this terminal window that you enter your securID ID, followed by your PIN + the code on the securID card at that moment. There's no encryption or anything at all. Theoretically, there doesn't have to be since that number showing on the card is unique to that moment in time. So if anybody DOES sniff it, they've only got a window of a few seconds to try to use it somewhere else.

So yes, you certainly CAN use SecureID with Linux. I did it last year with no problem. We dial into old IBM 8235 RAS boxes, but all of them probably act similarly. Look at what scripts may be being called by DUN on your windows-using coworker's machines for hints.

secureID

[bubbasatan]

I don't think that the SecureID system uses anything special on the client side. The authentication it uses is done entirely on the server side. Any PPP which uses clear text authentication should be able to be authenticated if the server is set for clear text. As far as encrypted authentication, I don't really know what SecurID uses. Basically, you should be able to set up a PPP which sends your userid and SecureID to the dialin box doing the authentication. You might want to script it so that you get a field to put the time-decay token into, but that should really be about it. I don't know what you are using as far as network type goes, but you should at least be able to authenicate to the dialin box. Hope this helps. If you are using something like VPN, it might use the IPSEC stuff. I have some Linux config info for that. If you are interested, post a reply and I'll pass that info along.

there is a securid pam module

[embobo]

See http://www.kernel.org/pub/linux/libs/pam/modules.h tml . On that page there are also links to Radius and TACACS+ PAMs. Additionally http://www.livingston.com/tech/docs/radius/introdu cing.html talks about radius->securid gateways.

I would use preview if /. didn't cause netscape to crash 40% of the time.