|
|
|
Configuring Reflection for Secure IT or F-Secure SSH for RSA SecurID Authentication
Technical Note 1914
Last Reviewed 01-Dec-2005
Applies To
Reflection for Secure IT Windows Client version 6.0 or higher
Reflection for Secure IT Windows Server version 6.x
Reflection for Secure IT UNIX Server version 6.x
Reflection for Secure IT UNIX Client version 6.x
F-Secure SSH Server for UNIX version 5.x
F-Secure SSH Client for UNIX version 5.x
RSA SecurID
Summary
Technical Note 1914
Last Reviewed 01-Dec-2005
Applies To
Reflection for Secure IT Windows Client version 6.0 or higher
Reflection for Secure IT Windows Server version 6.x
Reflection for Secure IT UNIX Server version 6.x
Reflection for Secure IT UNIX Client version 6.x
F-Secure SSH Server for UNIX version 5.x
F-Secure SSH Client for UNIX version 5.x
RSA SecurID
Summary
This technical note provides an overview of how to configure RSA SecurID Authentication in Reflection for Secure IT or F-Secure SSH using the keyboard interactive authentication method. The UNIX products require a plug-in.
In Windows
The Reflection for Secure IT Windows Client supports RSA SecurID authentication via the keyboard interactive setting.
Confirm that the Keyboard Interactive setting is selected:
- Open Connection > Connection Setup.
- Under Connect using, both Network and SECURE SHELL should be selected.
- Under Connection options, select or enter a Host name.
- Click the Security button. (This becomes enabled after you enter a host name.)
- On the General tab under User Authentication, confirm that the Keyboard Interactive check box is selected. Click OK.
To configure the Reflection SSH Windows Server:
- In the Configuration tool, open Server Settings > User Authentication > RSA SecurID.
- Under the Keyboard Interactive heading, select the checkbox to Allow SecurID authentication over keyboard interactive. Click Apply.
In UNIX
In the UNIX environment, RSA SecurID Authentication is configured in Reflection or F-Secure SSH using the keyboard interactive authentication method via the SecurID plug-in. This method is recommended because it uses precompiled binaries and enables you to avoid compiling source code.
To configure SSH connections using SecurID Authentication on the SSH UNIX server, you must configure the SSH UNIX Client and Server, set two environmental variables, and start the SSH Server service.
Configure the SSH UNIX Client
To configure the Reflection or F-Secure SSH UNIX Client, edit the ssh2_config file and set AllowedAuthentications to keyboard-interactive:
AllowedAuthentications keyboard-interactiveConfigure the SSH UNIX Server
To configure the Reflection or F-Secure SSH UNIX Server, edit the sshd2_config file and set AllowedAuthentications, AuthKbdInt.Required, and AuthKbdInt.Plugin as follows:
AllowedAuthentications keyboard-interactiveAuthKbdInt.Required pluginAuthKbdInt.Plugin/ssh-securid-pluginNote: AuthKbdInt.Required makes authentication with securid tokens compulsory. If you want to have securid authentication as an option, in addition to other methods, use the AuthKbdInt.Optional instead.
Start the SSH Server Service
Before starting the SSH Server service, you must set the VAR_ACE and LD_LIBRARY_PATH environmental variables.
- Set VAR_ACE to the directory where the sdconf.rec file is located.
- Set LD_LIBRARY_PATH to the directory where the RSA/Server or RSA/Agent is installed.
For example, if the agent is located in /opt/ace, you would start the service as follows:
$ VAR_ACE=/opt/ace/data LD_LIBRARY_PATH=/opt/ace/prog sshd2Note: To have the VAR_ACE variable configured on server startup, add it to the host's init script.
