Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia 
PreviousNextUp[Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
        Server Authentication with Public Keys >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
            Client Configuration
            Server Configuration
            Pluggable Authentication Module (PAM) Submethod
            RSA SecurID Submethod
            RADIUS Submethod
        User Authentication with GSSAPI >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

RSA SecurID Submethod

RSA SecurID is a widely-used two-factor authentication method based on the use of SecurID Authenticator tokens. In SSH Tectia, support for RSA SecurID is enabled as a submethod of Keyboard-Interactive authentication.

Please familiarize yourself with the RSA ACE/Server (RSA Authentication Manager) documentation before reading further.

The prerequisite for enabling SecurID support in SSH Tectia Server is that RSA ACE/Agent (RSA Authentication Agent) software (installed also with ACE/Server installation) is installed on the host and that the SecurID user is able to authenticate using the RSA-provided sdshell program on this particular agent host. Note that on RSA ACE/Agent 5.x installations, the RSA-provided ACE/Agent library file is required. The operating-system-specific file can be found on the RSA ACE/Agent Authentication API 5.0.x CD-ROM provided with the RSA ACE/Server 5.0 and 5.1 distributions.

In the instructions below, the /top directory refers to the RSA ACE/Agent installation directory.

RSA SecurID Plugins

The SecurID plugins are automatically installed with the SSH Tectia Server package. No separate installation is necessary.

In order to use the v5 SecurID plugin, the RSA-provided ACE/Agent library file has to be in the library path when the plugin is executed by SSH Tectia Server. A good way to make sure the v5 plugin finds the library is to create a symlink pointing to the library (assuming the library is in /ACEpath/lib/sol/

$ ln -s /ACEpath/lib/sol/ /usr/lib

The location of the library depends on the platform. Refer to your RSA ACE documentation.

Configuring SSH Tectia Server for SecurID Support

The server will allow all users to login using SecurID, when the keyboard-interactive authentication method and its submethod plugin are listed among the authentication methods and the AuthKbdInt.Plugin points to the appropriate plugin executable in the main server configuration file sshd2_config.

To enable RSA SecurID support on the server side, include the following lines in the /etc/ssh2/sshd2_config file:

AllowedAuthentications   keyboard-interactive
AuthKbdInt.Optional      plugin
AuthKbdInt.Plugin        ssh-securidv5-plugin

The lines are valid for RSA ACE/Agent 5. For RSA ACE/Agent 4, the last line should be:

AuthKbdInt.Plugin        ssh-securidv4-plugin

On the client side, include the following line in the /etc/ssh2/ssh2_config file:

AllowedAuthentications   keyboard-interactive

In SSH Tectia Client, keyboard-interactive is allowed by default. Note that the Secure Shell client controls the order in which the authentication methods are attempted. The least interactive method should usually be listed first.

However, SSH Tectia Server controls the order of keyboard-interactive submethods. If several AuthKbdInt.Optional or AuthKbdInt.Required methods are listed in the sshd2_config file, they should be specified in the order you wish the client to attempt them.

Using SSH Tectia Server with the SecurID Plugin

Do the following:

  1. Check that the user's shell is not/<top>/ace/prog/sdshell before you run the sshd2 daemon. This will prevent the user from authenticating twice with SecurID, first when logging in with Secure Shell and a second time when the user is allocated a shell.
  2. Check that the VAR_ACE environment variable is set and points to the directory that contains the sdconf.rec file). The variable has to be set before starting sshd2, and its value is typically /<top>/ace/data.
    # export VAR_ACE=/<top>/ace/data
  3. In case RSA ACE/Agent 5.x is used, ensure that the shared library file libaceclnt is found in the library path (for example, /usr/lib. Alternatively, you could add the directory to your /etc/ on platforms that use it).
  4. Restart the server as instructed in Section Starting the Server.

Note: SSH Communications Security does not provide technical support on how to configure RSA ACE/Server. Our support only covers SSH Tectia applications.

PreviousNextUp[Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now