Tuesday, May 10, 2005

SecurID authentication for OpenBSD for SSH and Apache

Just because OpenBSD is a "secure" platform is not an excuse not to harden it further by taking advantage of strong authentication. It is possible to integrate SecurID with OpenBSD even though RSA has not seen fit to release a binary version of their ACE libraries for any OpenBSD hardware platform.

I normally use S/Key with RMD160 as a one-time-password solution for access to OpenBSD. This has the advantage of being integrated into OpenBSD (at least on the i386 platform, there are still bugs with S/Key on Sparc64), but my less paranoid cow-orkers do not want to carry around a Zaurus or "cheat sheet" just so they can log into a web server. But they already have company issued SecurID tokens...

Lacking pam_securid for my platform, I use OpenBSD's stock login_radius for SSH and console logins, and link mod_auth_radius into the default hardened apache included with OpenBSD. And then because I'm paranoid, run it all under systrace.

mod_auth_radius works correctly with one time passwords, including SecurID, because this authentication module only actually passes the "password" (tokencode) up to the RADIUS server once, when you first authenticate. After successful RADIUS authentication, mod_auth_radius sends back to the client a hashed time-limited cookie. So long as the client returns the cookie with each request and the cookie is valid (not expired, cryptographically intact, etc), then mod_auth_radius will not need to re-prompt for authentication credentials.

There are three cases with mod_auth_radius where it might prompt again for authentication:

  1. The cookie has expired, or otherwise doesn't check out as valid.
  2. The client is not accepting and returning the cookie.
  3. mod_auth_radius can have a strange interaction with Apache depending on how you reach the first "protected" web page, this is most often a problem if the first protected URL you access is a URL ending in / that needs to be processed via DirectoryIndex, or if you access an unprotected page containing protected images.

The solution I choose to work around the DirectoryIndex problem was to have the main index page for the site (e.g. http://mysite.com/) contain a "login" link that points to http://mysite.com/protected/index.html.


Post a Comment

<< Home