SSH
Home Prev Up Next  

User Authentication with Keyboard-Interactive

Password Submethod
Pluggable Authentication Module (PAM) Submethod
RSA SecurID Submethod
RADIUS Submethod
LAM Submethod on AIX

Keyboard-interactive is a generic authentication method that can be used to implement different types of authentication mechanisms. Any currently supported authentication method that requires only the user's input can be performed with keyboard-interactive.

Currently, the following keyboard-interactive submethods are supported:

Methods that require passing some binary information, such as public-key authentication, cannot be used as submethods of keyboard-interactive. But public-key authentication, for example, can be used as an additional method alongside keyboard-interactive authentication.

[Note]Note

PAM has support also for binary messages and client-side agents, but those cannot be supported with keyboard-interactive.

The client cannot request any specific keyboard-interactive submethod if the server allows several optional submethods. The order in which the submethods are offered depends on the server configuration. The server can be configured to allow, for example, the two optional submethods SecurID and password, and then the user can skip SecurID by pressing Enter when the server asks for a SecurID. The user will then be prompted for a password.

Using the Tectia Server Configuration tool, keyboard-interactive authentication can be configured on the Authentication page. See Authentication.

Password Submethod

Password authentication can also be used over keyboard-interactive.

The following example shows settings for allowing keyboard-interactive authentication using the password submethod in the ssh-server-config.xml file:

<authentication-methods>
  <authentication action="allow">
    <auth-keyboard-interactive max-tries="3" failure-delay="2">
      <submethod-password />
    </auth-keyboard-interactive>
  ...
  </authentication>
</authentication-methods>

Pluggable Authentication Module (PAM) Submethod

Pluggable Authentication Module is an authentication framework used in Unix systems. In Tectia, support for PAM is enabled as a submethod of keyboard-interactive authentication.

When PAM is used, Tectia Server transfers the control of authentication to the PAM library, which will then load the modules specified in the PAM configuration file. Finally, the PAM library tells Tectia Server whether or not the authentication was successful. Tectia Server is not aware of the details of the actual authentication method employed by PAM, only the final result is of interest.

The PAM authentication can be enabled by creating a PAM configuration for the service ssh-server-g3. For information on how to do PAM session and account management irrespective of the authentication methods used, see the configuration element description for pluggable-authentication-modules .

In addition, you can define separate authentication blocks with specific PAM settings (in element <submethod-pam>) which will override the PAM defaults for that particular authentication block.

It is possible to configure the user session management and the authentication to use different services for PAM authentication. This is done by defining different services in the service-name attribute in the pluggable-authentication-modules element and in the submethod-pam element.

Tectia Server expects to find the PAM libraries in the default paths of the supported operating systems. You need to define the PAM libraries in the server configuration only if they are used from non-default locations.

The following configuration example shows the PAM authentication related settings in the ssh-server-config.xml file. 

<authentication-methods>
  <authentication action="allow">
    <auth-keyboard-interactive>
      <submethod-pam 
         service-name="sshd2" 
         dll-path="path-to-pam-dll" />
    </auth-keyboard-interactive>
  ...
  </authentication>
</authentication-methods>
[Note]Note

SSH Communications Security does not provide technical support on how to configure PAM. Our support only covers Tectia applications.

PAM Examples

The following are examples of the PAM configurations on different platforms.

Please note that these are just examples and need to be modified according to the actual server configuration.

PAM on Red Hat Linux

On Red Hat Linux 5, add PAM configuration file /etc/pam.d/ssh-server-g3 with contents:

auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

When the PAM library is used from the default path, the PAM definitions in the Tectia Server configuration file ssh-server-config.xml can be simply as follows:

<authentication-methods>
  <authentication action="allow">
    <auth-keyboard-interactive >
        <submethod-pam />
   </auth-keyboard-interactive >
  ...
  </authentication>
</authentication-methods>
PAM on SUSE Linux

On SUSE Linux Enterprise Server 10 (both 32- and 64-bit versions) the default configuration settings are suitable for most PAM authentications. You can add file /etc/pam.d/ssh-server-g3 with contents:

auth     include        common-auth
auth     required       pam_nologin.so
account  include        common-account
password include        common-password
session  include        common-session

The following example configuration in ssh-server-config.xml enables PAM session and account management with the service sshd2 (instead of the default ssh-server-g3). The authentication submethod PAM is configured to use service ssh-server-g3. The PAM library is used from the default path.

<params>
  <pluggable-authentication-modules
            service-name="sshd2" 
            pam-calls-with-commands="yes" />
</params>
         <!-- ... -->
<authentication-methods>
  <authentication action="allow" name="allow-default">
    <auth-keyboard-interactive>
      <submethod-pam service-name="ssh-server-g3"/>
    </auth-keyboard-interactive>
  </authentication>
</authentication-methods>
PAM on AIX

On AIX, the PAM library is able to recognize whether the calling application is 32- or 64-bit and then substitute the correct path to load modules if full path has not been specified in the /etc/pam.conf file. If the pam.conf file has the following specified for ssh-server-g3, it should work with both Tectia Server versions 6.1 and 6.2:

ssh-server-g3 auth     required pam_aix
ssh-server-g3 account  required pam_aix
ssh-server-g3 password required pam_aix
ssh-server-g3 session  required pam_aix
[Note]Note

If PAM authentication is in use and you are updgrading to Tectia Server 7.0, which is a 64-bit version, note that if the full path is set in the pam.conf, it points to 32-bit PAM modules for Tectia Server.

PAM on Oracle Solaris

On Solaris versions 10 and 11, add the /etc/pam.conf entry with contents:

ssh-server-g3   auth requisite          pam_authtok_get.so.1
ssh-server-g3   auth required           pam_dhkeys.so.1
ssh-server-g3   auth required           pam_unix_cred.so.1
ssh-server-g3   auth required           pam_unix_auth.so.1
ssh-server-g3   account requisite       pam_roles.so.1
ssh-server-g3   account required        pam_unix_account.so.1
ssh-server-g3   session required        pam_unix_session.so.1
ssh-server-g3   password required       pam_dhkeys.so.1
ssh-server-g3   password requisite      pam_authtok_get.so.1
ssh-server-g3   password requisite      pam_authtok_check.so.1
ssh-server-g3   password required       pam_authtok_store.so.1

If the PAM library is used from a path different than the operating system default, the path must be specified in the Tectia Server configuration file ssh-server-config.xml both in the pluggable-authentication-modules and in the submethod-pam element with the dll-path attribute. For example:

<params>
  <pluggable-authentication-modules
            dll-path="path-to-pam-dll"
            pam-calls-with-commands="yes" />
</params>
         
<authentication-methods>
  <authentication action="allow" name="allow-default">
    <auth-keyboard-interactive>
      <submethod-pam dll-path="path-to-pam-dll" />
    </auth-keyboard-interactive>
  </authentication>
</authentication-methods>
[Note]Note

On Solaris, the account lockout setting LOCK_AFTER_RETRIES in /etc/security/policy.conf only applies if keyboard interactive authentication is used with PAM. Other types of authentication methods do not increment the retries count.

PAM Used with LDAP on Red Hat Linux

The following is an example on how to configure PAM to use LDAP authentication on a Red Hat Linux machine. Before trying this setup, verify that PAM works for local accounts. Modify the example settings according to your LDAP server configuration.

In file /etc/pam.d/ssh-server-g3, add the following settings:

auth     required /lib/security/pam_ldap.so
account  required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session  required /lib/security/pam_ldap.so

In file /etc/nsswitch.conf, add the following settings:

passwd: files ldap
shadow: files ldap
group: files ldap

In file /etc/ldap.conf, add the following settings:

host ldapserver.company.com
base dc=company,dc=com
ldap_version 3
port 389
scope one
pam_min_uid 10000
pam_max_uid 20000
nss_base_passwd ou=accounts,dc=company,dc=com?one
nss_base_shadow ou=accounts,dc=company,dc=com?one
nss_base_group ou=groups,dc=company,dc=com?one
ssl no
pam_password md5

RSA SecurID Submethod

RSA SecurID is a widely-used two-factor authentication method based on the use of SecurID Authenticator tokens. In Tectia, support for RSA SecurID is enabled as a submethod of keyboard-interactive authentication.

The prerequisite for enabling SecurID support in Tectia Server is that RSA Authentication Agent software (previously RSA ACE/Agent) is installed on the server host.

[Note]Note

To enable SecurID support in Tectia Server on a 64-bit Windows server host, do the following:

  1. Install the 32-bit RSA Authentication Agent on a 32-bit Windows system.

  2. Copy the aceclnt.dll and sdmsg.dll files from the C:\Program Files\Common Files\RSA Shared\Auth Data directory and place the files on the 64-bit Windows server host in the C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia Server directory with the sdconf.rec file from the RSA Authentication Manager.

  3. Add C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia Server in the System Path of the Windows Environment Variables.

When RSA SecurID is used, Tectia Server queries the user for the token's numerical code and passes the code to RSA Authentication Agent for verification. RSA Authentication Agent then returns the success or failure of the authentication to Tectia Server.

RSA SecurID authentication provides two different authentication agents/:

  • RSA Authentication Agent for PAM (versions 5.3.4 and 6.0.0)
  • RSA Authentication Agent for UNIX (version 5.2 )

The Tectia Server configuration needs different settings depending on which RSA Authentication Agent is used. For configuration examples, see Configuring RSA Authentication Agent for Unix and Configuring RSA Authentication Agent for PAM.

To use SecurID authentication, you should be familiar with the operation of RSA Authentication Manager (previously RSA ACE/Server).

Configuring RSA Authentication Agent for Unix

For the SecurID authentication to work with Tectia Server on Unix, the RSA Authentication Agent libaceclnt.so library has to be available in the /usr/lib directory (alternatively /user/ace/lib or /opt/ace/lib).

The following example shows the settings required in the ssh-server-config.xml file for keyboard-interactive authentication using the SecurID submethod:

<authentication-methods>
  <authentication action="allow">
    <auth-keyboard-interactive max-tries="3" failure-delay="2">
      <submethod-securid />
    </auth-keyboard-interactive>
  ...
  </authentication>
</authentication-methods>

Giving the dll-path attribute is not required. Tectia Server locates the libraries automatically.

Configuring RSA Authentication Agent for PAM

When you want to use keyboard-interactive authentication using the RSA Authentication Agent for PAM, make the following settings in the ssh-server-config.xml file:

<authentication-methods>
  <authentication action="allow">
    <auth-keyboard-interactive>
      <submethod-pam />
    </auth-keyboard-interactive>
  ...
  </authentication>
</authentication-methods>

In addition, create a symlink for libpam as follows:

ln -s /lib/libpam.so.0 /lib/libpam.so

Create the /etc/pam.d/ssh-server-g3 file containing:

auth     required  /lib/security/pam_securid.so
acccount required  /lib/security/pam_pwdb.so
session  required  /lib/security/pam_pwdb.so

For more information, see the separate RSA SecurID Ready Implementation Guide for Tectia, available from the RSA web site (http://www.rsasecured.com/).

[Note]Note

SSH Communications Security does not provide technical support on how to configure RSA Authentication Manager (RSA ACE/Server). Our support only covers Tectia applications.

RADIUS Submethod

RADIUS (Remote Authentication Dial-In User Service) is a protocol for checking a user's authentication and authorization information from a remote server. It was originally intended for authenticating dial-in users, but is also suitable for use with Secure Shell. In Tectia, RADIUS is implemented as a submethod of keyboard-interactive authentication.

When using RADIUS authentication, Tectia Server first asks the user's password and then sends it along with the user name to the RADIUS server (PAP authentication). Multiple RADIUS servers can be configured, and these will be queried in turn in case some of them are unreachable.

The supported RADIUS servers are Microsoft IAS (Internet Authentication Service) and FreeRADIUS.

The following example shows settings for keyboard-interactive authentication using the RADIUS submethod in the ssh-server-config.xml file:

<authentication-methods>
  <authentication action="allow">
    <auth-keyboard-interactive max-tries="3" failure-delay="2">
      <submethod-radius>
        <radius-server address="10.1.61.128" 
                       port="1812" 
                       client-nas-identifier="nasid">
          <radius-shared-secret file="&configdir;/radius-secret-file" />
        </radius-server>
      </submethod-radius>
   </auth-keyboard-interactive>
  ...
  </authentication>
</authentication-methods>

Using the Tectia Server Configuration tool, keyboard-interactive authentication can be configured on the Authentication page. See Authentication.

Notice that enforcing password changing does not work with RADIUS.

A common cause of problems in RADIUS authentication is that the shared secret is corrupted. For example, extra newline characters or spaces in the shared secret file can cause the authentication to fail. Make sure the same shared secret is configured on Tectia Server and the network access server (NAS).

[Note]Note

SSH Communications Security does not provide technical support on how to configure RADIUS. Our support only covers Tectia applications.

For information on configuring FreeRADIUS, see for example, http://www.freeradius.org/. For information on configuring Microsoft IAS, see its documentation.

Special Considerations on Windows

When using RADIUS authentication to log on to a Windows server that belongs to a domain, you have to give the user name prefixed with the machine name, for example MACHINE\user (instead of user). This is because RADIUS authentication uses local accounts, and Tectia Server that is installed on a Windows domain machine assumes that user accounts given without a prefix are domain accounts.

If Tectia Server is installed on a stand-alone machine, you can use both notations with RADIUS authentication (MACHINE\user and user).

For more information about user accounts on Windows, see User Logon Rights on Windows.

LAM Submethod on AIX

AIX systems use the Loadable Authentication Module (LAM) as their default subsystem for providing the identification and authentication facilities. In Tectia Server, support for LAM can be enabled as a submethod of keyboard-interactive authentication which uses an AIX-LAM plugin.

When LAM is used, Tectia Server transfers the control of authentication to the LAM library, and expects in return information on whether the user authentication was successful or not. Tectia Server does not need to be aware of the details of the actual authentication methods employed by LAM, it only reacts to the returned authentication success result.

The AIX-LAM plugin can also be enabled to request password changing in case the user password has expired. To enable LAM on Tectia Server running on AIX, and to allow also changing of the password, use the following settings in configuration file ssh-server-config.xml:

<authentication-methods>
      <authentication name="authentication">
        <auth-keyboard-interactive >
           <submethod-aix-lam enable-password-change="yes" />
        </auth-keyboard-interactive >
      </authentication>
</authentication-methods>
Home Prev Up Next  

Copyright © 2025 SSH Communications Security Corporation
This software is protected by international copyright laws. All rights reserved.
Contact Information