This patch allows to specify AllowUsers, DenyUsers for individual authentications (hostbased, publickey, password, keyboard-interactive, kerberos, kerberos_or_local, gss, securid-1@ssh.com). This enables you to configure authentication methods for each user. It is designed for SSH2.
All configuration options are mentioned in file sshd_config. Their usage is the same like with AllowUsers, DenyUsers.
SecurID authentication for OpenSSH is done as a patch for the official portable release of OpenSSH. It is done as challenge response authentication and securid-1@ssh.com authentication (a non-standard solution provided in commercial implementations from F-Secure and SSH).
Features:On net you can find another (different) implementation, which make possible use of SecurID tokens in OpenSSH. But this is very simple solution in my opinion. This is implement as hack into Password authentication.
| This patch | Theo's patch | |
| Token states support | ||
| normal | yes | yes |
| Next Tokencode | yes | yes / not usable |
| New PIN | yes | no |
| Token states and their prompts | ||
| normal | Enter PASSCODE: | if you connect to remote host you see only password prompt and you must know if enter password or PASSCODE |
| Next Tokencode | Wait until the Tokencode changes, ... | you have no chance how to detect this state yourself; when you connect to host, admin of this host must look into syslog or ACE/Server admin into activity report |
| New PIN | New PIN required; do you wish to continue ... | n/a |
This patch is based on sftplogging patch, with small modifications and mainly scp logging is added. You must apply both previous patches before applying this one.
Patch:This patch adds support for GSSAPI/SSPI (Kerberos 5) authentication into PuTTY.
GSSAPI: