[tac_plus] Re: Hi I have the Tac_plus up and running aand was wandering if you can point to some documentaion on ties secureid into this solution?

[john heasley]

Thu, Jan 10, 2008 at 09:15:51AM -0500, Lambert, David:
>             Hi I have the Tac_plus up and running aand was wandering if
> you can point  to some documentation on tieing secureid into this
> solution?

I guess that it was you who I spoke with this morning.  For the mail archives,
the only way to do this is with PAM, since RSA does not release any information
about the protocol(s) used to converse with their daemon.

RSA offers an unsupported (IIRC) securIDPAM module.  As long as you're using
an O/S for which RSA has seen fit to make it available, tacacs can be
configured to use PAM for individual users and with the module and appropriate
PAM configuration, those users will be authenticated with securID.

Technically, RSA offers a library that you can get if you sign an NDA with
them.  However, true to their normal behavior, the library is only available
on a few platforms and O/Ses; for example, the last I checked they did not
offer a version for Solaris 10 x86 and certainly not a 64-bit version for
even the Solaris Sparc 64-bit.  Therefore, PAM is a much better solution,
even though RSA may choose to stop supporting it; though unlikely given the
proliferation of PAM.

So, what would be keen is a PAM module that would use tacacs for
authentication.  That would allow machines not supported by RSA to
authenticate via tacacs running on a host that is supported.