[tac_plus] RSA SecurID / ACE Client
heasley
heas at shrubbery.net
Mon Apr 16 22:27:17 UTC 2012
Mon, Apr 16, 2012 at 03:03:55PM -0700, heasley:
> Thu, Apr 05, 2012 at 08:10:49PM -0400, Matt Addison:
> > On Thu, Apr 5, 2012 at 16:15, heasley <heas at shrubbery.net> wrote:
> > >
> > > is there are a reason that you chose this direction as opposed to simply
> > > using the securid PAM module that they make available [and i presume that
> > > they still make it available]?
> >
> > In our case we were already using the tac_plus PAM option for
> > centralized authentication (LDAP/Kerberos) for user login passwords.
> > This patch allows us to use centralized information for login via PAM
> > and still use RSA for enable.
> >
> > There are also some potentially interesting opportunities with direct
> > ACE client integration, such as using the NAS or client IP addresses
> > as the authentication source to do additional access restriction and
> > logging at the RSA authentication manager (especially if different
> > groups are responsible for systems/network). I've POC'd this but have
> > not investigated implementing configuration options for it.
> >
> > ~Matt
>
> is this commented-out code intentional?
>
> static int
> aceclnt_verify(char *name, char *passwd, struct authen_data *data)
> {
> struct private_data *p = data->method_data;
> SDI_HANDLE SdiHandle = p->SdiHandle;
> int acmRet;
>
> data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;
>
> /*
> if (aceclntverify(aceclntp, passwd) == 0) {
> *//* S/Key authentication succeeded *//*
> data->status = TAC_PLUS_AUTHEN_STATUS_PASS;
> if (aceclntp->n < 5) {
> data->server_msg = tac_strdup("Password will expire soon");
> return(1);
> }
> } */
> acmRet = SD_Check(SdiHandle, passwd, name);
> if (acmRet == ACM_OK)
> data->status = TAC_PLUS_AUTHEN_STATUS_PASS;
> return(0);
> }
>
> have you tested enabling with aceclnt?
also, is there not a library to link with that you have missed in Makefile.am?
More information about the tac_plus
mailing list