Keyboard-interactive is a generic authentication method that can be used to implement different types of authentication mechanisms. Any currently supported authentication method that requires only the user's input can be performed with keyboard-interactive.
Currently, the following keyboard-interactive submethods are supported:
password
PAM (Unix only, see note below)
RSA SecurID
RADIUS
Methods that require passing some binary information, such as public-key authentication, cannot be used as submethods of keyboard-interactive. But public-key authentication, for example, can be used as an additional method alongside keyboard-interactive authentication.
Note | |
---|---|
PAM has support also for binary messages and client-side agents, but those cannot be supported with keyboard-interactive. |
The client cannot request any specific keyboard-interactive submethod if the server allows several optional submethods. The order in which the submethods are offered depends on the server configuration. However, if the server allows, for example, the two optional submethods SecurID and password, the user can skip SecurID by pressing Enter when SecurID is offered by the server. The user will then be prompted for a password.
On Windows, using the SSH Tectia Server Configuration tool, keyboard-interactive authentication can be configured on the Authentication page. See Authentication.
Password authentication can also be used over keyboard-interactive.
The following example shows settings for allowing keyboard-interactive
authentication using the password submethod in the
ssh-server-config.xml
file:
<authentication-methods> <authentication action="allow"> <auth-keyboard-interactive max-tries="3" failure-delay="2"> <submethod-password /> </auth-keyboard-interactive> ... </authentication> </authentication-methods>
Pluggable Authentication Module is an authentication framework used in Unix systems. In SSH Tectia, support for PAM is enabled as a submethod of keyboard-interactive authentication.
When PAM is used, SSH Tectia Server transfers the control of authentication to the PAM library, which will then load the modules specified in the PAM configuration file. Finally, the PAM library tells SSH Tectia Server whether or not the authentication was successful. SSH Tectia Server is not aware of the details of the actual authentication method employed by PAM, only the final result is of interest.
The PAM authentication can be enabled by creating a PAM configuration
for the service ssh-server-g3
. For information on how to do
PAM session and account management irrespective of the authentication
methods used, see the configuration element description for
pluggable-authentication-modules.
In addition, you can define separate authentication blocks with
specific PAM settings (in element <submethod-pam>
)
which will override the PAM defaults for that particular authentication
block.
It is possible to configure the user session management and the
authentication to use different services for PAM authentication. This is
done by defining different services in the service-name
attribute in the pluggable-authentication-modules
element
and in the submethod-pam
element.
SSH Tectia Server expects to find the PAM libraries in the default paths of the supported operating systems. You need to define the PAM libraries in the server configuration only if they are used from non-default locations.
The following configuration example shows the PAM authentication
related settings in the ssh-server-config.xml
file.
<authentication-methods>
<authentication action="allow">
<auth-keyboard-interactive>
<submethod-pam
service-name="sshd2"
dll-path="path-to-pam-dll
" />
</auth-keyboard-interactive>
...
</authentication>
</authentication-methods>
Note | |
---|---|
SSH Communications Security does not provide technical support on how to configure PAM. Our support only covers SSH Tectia applications. |
The following are examples of the PAM configurations on different platforms.
Please note that these are just examples and need to be modified according to the actual server configuration.
PAM on Red Hat Linux
On Red Hat Linux 5, add PAM configuration file
/etc/pam.d/ssh-server-g3
with contents:
auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
When the PAM library is used from the default path, the PAM definitions
in the SSH Tectia Server configuration file ssh-server-config.xml
can be
simply as follows:
<authentication-methods> <authentication action="allow"> <auth-keyboard-interactive > <submethod-pam /> </auth-keyboard-interactive > ... </authentication> </authentication-methods>
PAM on SUSE Linux
On SUSE Linux Enterprise Server 10 (both 32- and 64-bit versions) the
default configuration settings are suitable for most PAM authentications.
You can add file /etc/pam.d/ssh-server-g3
with contents:
auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session
The following example configuration in
ssh-server-config.xml
enables PAM session and account
management with the service sshd2
(instead of the default
ssh-server-g3
). The authentication submethod PAM is
configured to use service ssh-server-g3
. The PAM library is
used from the default path.
<params> <pluggable-authentication-modules service-name="sshd2" pam-calls-with-commands="yes" /> </params> <!-- ... --> <authentication-methods> <authentication action="allow" name="allow-default"> <auth-keyboard-interactive> <submethod-pam service-name="ssh-server-g3"/> </auth-keyboard-interactive> </authentication> </authentication-methods>
PAM on Sun Solaris
On Solaris version 10, add the /etc/pam.conf
entry with contents:
ssh-server-g3 auth requisite pam_authtok_get.so.1 ssh-server-g3 auth required pam_dhkeys.so.1 ssh-server-g3 auth required pam_unix_cred.so.1 ssh-server-g3 auth required pam_unix_auth.so.1 ssh-server-g3 account requisite pam_roles.so.1 ssh-server-g3 account required pam_unix_account.so.1 ssh-server-g3 session required pam_unix_session.so.1 ssh-server-g3 password required pam_dhkeys.so.1 ssh-server-g3 password requisite pam_authtok_get.so.1 ssh-server-g3 password requisite pam_authtok_check.so.1 ssh-server-g3 password required pam_authtok_store.so.1
If the PAM library is used from a path different than the operating
system default, the path must be specified in the SSH Tectia Server configuration file
ssh-server-config.xml
both in the
pluggable-authentication-modules
and in the
submethod-pam
element with the dll-path
attribute. For example:
<params> <pluggable-authentication-modules dll-path="path-to-pam-dll
" pam-calls-with-commands="yes" /> </params> <authentication-methods> <authentication action="allow" name="allow-default"> <auth-keyboard-interactive> <submethod-pam dll-path="path-to-pam-dll
" /> </auth-keyboard-interactive> </authentication> </authentication-methods>
Note | |
---|---|
On Solaris, the account lockout setting LOCK_AFTER_RETRIES in
|
PAM on AIX
On AIX 5.2 version, add file /etc/pam.conf
with contents:
ssh-server-g3 auth required /usr/lib/security/pam_aix ssh-server-g3 account required /usr/lib/security/pam_aix ssh-server-g3 session required /usr/lib/security/pam_aix ssh-server-g3 password required /usr/lib/security/pam_aix
PAM Used with LDAP on Red Hat Linux
The following is an example on how to configure PAM to use LDAP authentication on a Red Hat Linux machine. Before trying this setup, verify that PAM works for local accounts. Modify the example settings according to your LDAP server configuration.
In file /etc/pam.d/ssh-server-g3
, add the following settings:
auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so password required /lib/security/pam_ldap.so session required /lib/security/pam_ldap.so
In file /etc/nsswitch.conf
, add the following settings:
passwd: files ldap shadow: files ldap group: files ldap
In file /etc/ldap.conf
, add the following settings:
host ldapserver.company.com base dc=company,dc=com ldap_version 3 port 389 scope one pam_min_uid 10000 pam_max_uid 20000 nss_base_passwd ou=accounts,dc=company,dc=com?one nss_base_shadow ou=accounts,dc=company,dc=com?one nss_base_group ou=groups,dc=company,dc=com?one ssl no pam_password md5
RSA SecurID is a widely-used two-factor authentication method based on the use of SecurID Authenticator tokens. In SSH Tectia, support for RSA SecurID is enabled as a submethod of keyboard-interactive authentication.
The prerequisite for enabling SecurID support in SSH Tectia Server is that RSA Authentication Agent software (previously RSA ACE/Agent) is installed on the server host. When RSA SecurID is used, SSH Tectia Server queries the user for the token's numerical code and passes the code to RSA Authentication Agent for verification. RSA Authentication Agent then returns the success or failure of the authentication to SSH Tectia Server.
RSA SecurID authentication provides two different authentication agents/:
The SSH Tectia Server configuration needs different settings depending on which RSA Authentication Agent is used. For configuration examples, see Configuring RSA Authentication Agent for Unix and Configuring RSA Authentication Agent for PAM.
To use SecurID authentication, you should be familiar with the operation of RSA Authentication Manager (previously RSA ACE/Server).
For the SecurID authentication to work with SSH Tectia Server on Unix, the
RSA Authentication Agent libaceclnt.so
library has to be available in the
/usr/lib
directory (alternatively /user/ace/lib
or
/opt/ace/lib
).
The following example shows the settings required in the
ssh-server-config.xml
file for keyboard-interactive
authentication using the SecurID submethod:
<authentication-methods> <authentication action="allow"> <auth-keyboard-interactive max-tries="3" failure-delay="2"> <submethod-securid /> </auth-keyboard-interactive> ... </authentication> </authentication-methods>
Giving the dll-path
attribute is not required. SSH Tectia Server
locates the libraries automatically.
When you want to use keyboard-interactive authentication using the RSA
Authentication Agent for PAM, make the following settings in the
ssh-server-config.xml
file:
<authentication-methods> <authentication action="allow"> <auth-keyboard-interactive> <submethod-pam /> </auth-keyboard-interactive> ... </authentication> </authentication-methods>
In addition, create a symlink for libpam
as follows:
ln -s /lib/libpam.so.0 /lib/libpam.so
Create the /etc/pam.d/ssh-server-g3
file containing:
auth required /lib/security/pam_securid.so acccount required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.so
For more information, see the separate RSA SecurID Ready Implementation Guide for SSH Tectia, available from the RSA web site (http://www.rsasecured.com/).
Note | |
---|---|
SSH Communications Security does not provide technical support on how to configure RSA Authentication Manager (RSA ACE/Server). Our support only covers SSH Tectia applications. |
RADIUS (Remote Authentication Dial-In User Service) is a protocol for checking a user's authentication and authorization information from a remote server. It was originally intended for authenticating dial-in users, but is also suitable for use with Secure Shell. In SSH Tectia, RADIUS is implemented as a submethod of keyboard-interactive authentication.
When using RADIUS authentication, SSH Tectia Server first asks the user's password and then sends it along with the user name to the RADIUS server (PAP authentication). Multiple RADIUS servers can be configured, and these will be queried in turn in case some of them are unreachable.
The supported RADIUS servers are Microsoft IAS (Internet Authentication Service) and FreeRADIUS.
The following example shows settings for keyboard-interactive
authentication using the RADIUS submethod in the
ssh-server-config.xml
file:
<authentication-methods> <authentication action="allow"> <auth-keyboard-interactive max-tries="3" failure-delay="2"> <submethod-radius> <radius-server address="10.1.61.128" port="1812" client-nas-identifier="nasid"> <radius-shared-secret file="&configdir;/radius-secret-file" /> </radius-server> </submethod-radius> </auth-keyboard-interactive> ... </authentication> </authentication-methods>
On Windows, using the SSH Tectia Server Configuration tool, keyboard-interactive authentication can be configured on the Authentication page. See Authentication.
Notice that enforcing password changing does not work with RADIUS.
A common cause of problems in RADIUS authentication is that the shared secret is corrupted. For example, extra newline characters or spaces in the shared secret file can cause the authentication to fail. Make sure the same shared secret is configured on SSH Tectia Server and the network access server (NAS).
Note | |
---|---|
SSH Communications Security does not provide technical support on how to configure RADIUS. Our support only covers SSH Tectia applications. For information on configuring FreeRADIUS, see for example, http://www.freeradius.org/. For information on configuring Microsoft IAS, see its documentation. |
When using RADIUS authentication to log on to a Windows server that
belongs to a domain, you have to give the user name prefixed with the machine
name, for example MACHINE\user
(instead of user
).
This is because RADIUS authentication uses local accounts, and SSH Tectia Server that
is installed on a Windows domain machine assumes that user
accounts given without a prefix are domain accounts.
If SSH Tectia Server is installed on a stand-alone machine, you can use both
notations with RADIUS authentication (MACHINE\user
and
user
).
For more information about user accounts on Windows, see User Logon Rights on Windows.