[tac_plus] RSA SecurID / ACE Client

[heasley]

Thu, Apr 05, 2012 at 08:10:49PM -0400, Matt Addison:
> On Thu, Apr 5, 2012 at 16:15, heasley <heas at shrubbery.net> wrote:
> >
> > is there are a reason that you chose this direction as opposed to simply
> > using the securid PAM module that they make available [and i presume that
> > they still make it available]?
> 
> In our case we were already using the tac_plus PAM option for
> centralized authentication (LDAP/Kerberos) for user login passwords.
> This patch allows us to use centralized information for login via PAM
> and still use RSA for enable.
> 
> There are also some potentially interesting opportunities with direct
> ACE client integration, such as using the NAS or client IP addresses
> as the authentication source to do additional access restriction and
> logging at the RSA authentication manager (especially if different
> groups are responsible for systems/network). I've POC'd this but have
> not investigated implementing configuration options for it.
> 
> ~Matt

is this commented-out code intentional?

static int
aceclnt_verify(char *name, char *passwd, struct authen_data *data)
{
    struct private_data *p = data->method_data;
    SDI_HANDLE SdiHandle = p->SdiHandle;
    int acmRet;

    data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;

    /*
    if (aceclntverify(aceclntp, passwd) == 0) {
        *//* S/Key authentication succeeded *//*
        data->status = TAC_PLUS_AUTHEN_STATUS_PASS;
        if (aceclntp->n < 5) {
            data->server_msg = tac_strdup("Password will expire soon");
            return(1);
        }
    } */
    acmRet = SD_Check(SdiHandle, passwd, name);
    if (acmRet == ACM_OK)
            data->status = TAC_PLUS_AUTHEN_STATUS_PASS;
    return(0);
}

have you tested enabling with aceclnt?