SecurID card and chat

SecurID card and chat

Post by Jack Bon » Mon, 05 Feb 1996 04:00:00



I have read some articles in this newsgroup indicating that chat
is less than fully useful when used with a SecurID card, a device
to provide security over dialin lines.  [SecurID cards spit out a
pseudo-random password periodically and the system requires it to be
sent to it to allow access.]

Not only is chat useful with SecureID, but I am using it now.
The key is to not type in a password that is about to expire.  The
bar chart on the left of the SecurID card indicates how "fresh" the
password is; if the bar graph is nearly expired, wait for a new
password.

Here is my "internet.up" script:

#!/bin/zsh

NUMBER=1-XXX-XXX-XXXX
NAME=my-user-name
print -n "SecurID Code: "
read PASS

(
    print \"\"
    print ATZ
    print OK
    print ATDT$NUMBER
    print CONNECT
    print \"\"
    print ername:--ername:--ername:
    print $NAME
    print PASSCODE:
    print $PASS
    print Command\>
    print ppp

) >/tmp/chat.script

setserial /dev/modem spd_vhi
pppd connect 'chat -f /tmp/chat.script' \
   /dev/modem 38400 debug crtscts modem defaultroute :

Of course, there are always other solutions to the problem.  In this
case, I understand that diald will do the job as well.  The above works
for me, however.
--

Software Labs, Ltd.  26985 Fenview Dr.  Barrington, IL  60010

 
 
 

SecurID card and chat

Post by Sean Reifschneid » Wed, 07 Feb 1996 04:00:00



Quote:>Not only is chat useful with SecureID, but I am using it now.
>The key is to not type in a password that is about to expire.  The

Actually, I've found that using an "about to expire" password works just fine.
I don't know about your case, but our server seems to have a "grace period"
where it will allow the last password to be used even though it's expired.
This allows for the clock in the card and the clock in the server to be
out of synch with each other.  In fact, I'm guessing that it keeps a sequence
of pass numbers and then uses an algorithm based on how long ago you last
connected to synchronize the servers clock with the card.

It'd kind of have to...  I've never had a "false" failure to log in via the
Secure Card.

Sean
--
"We just wanted to give the band a little more thrust than most other bands."
        - Donald Fagen's reply to why they chose the band name 'Steely Dan'

URL: <http://www.tummy.com/xvscan>  HP-UX/Linux/FreeBSD X11 scanning software.

 
 
 

SecurID card and chat

Post by Nathan Sieme » Sat, 17 Feb 1996 04:00:00


script for ppp connection to shiva lanrover using chat, invoked by

pppconnect <number on securid card>

/usr/local/bin/pppconnect:
#!/bin/csh
setserial /dev/ttyS0 spd_vhi
pppd connect "chat  -v '' ATT OK ATZ OK  'atw1&K3' OK ATDT18002679229\
CONNECT '\d\d\r\n' 'ID:-\d\r\n-ID:' siemersn 'CODE:-\r\n-CODE:' 9912$1\
 Accepted '\d\d\r\n\d\d\r\n' 'Userid:-\r\n-Userid:' guest\
 'word?' '\d\r\n' '>-\r\n->' 'ppp on' "

(In my script the long line is not broken)

nathan

 
 
 

SecurID card and chat

Post by H J » Wed, 21 Feb 1996 04:00:00



: I too has to log on with securID.  I am experimenting with dip to
: get into an interactive session to enter the dynamic password and the
: remote server accept the login but requires me to do a continue
: to proceed. I also don't know what happen afterwards and wondering if any
: one know what the next sequence of exchanges are.  Initiating pppd inside
: dip by typing 'mode PPP' only hangs up the modem. I suspect I need to
: log on again with another user's name.  Any suggestion on how to do
: the continue after securID passcode entered and what information does
: the remote server need to be ready for PPP.
:
: Regards,
:

ftp://ftp.zoom.com/pub/personal/hjl/linux/dip-3.3.7n-hjl.1.tar.gz

has a sample script for securID and PPP.

H.J.

 
 
 

SecurID card and chat

Post by Vin McLell » Wed, 21 Feb 1996 04:00:00



Quote:>>Not only is chat useful with SecureID, but I am using it now.
>>The key is to not type in a password that is about to expire.  The


Quote:>Actually, I've found that using an "about to expire" password works just fine.
>I don't know about your case, but our server seems to have a "grace period"
>where it will allow the last password to be used even though it's expired.
>This allows for the clock in the card and the clock in the server to be
>out of synch with each other.  In fact, I'm guessing that it keeps a sequence
>of pass numbers and then uses an algorithm based on how long ago you last
>connected to synchronize the servers clock with the card.
>It'd kind of have to...  I've never had a "false" failure to log in via the
>Secure Card.

   SDI's ACE software -- the software than manages and support the SecurID
tokens -- maintains a running record of the relative 'drift" in each
token's clock-chip, compared to the clock in the host or authentications
server.  The database is updated each time a SecurID is used.

   Working from this record, when an ACE authentication server receives a
name or employee number (the first discrete identifier in an incoming
authentication call) it pre-calculate the appropriate "token-code" for
what it expect's the token's clock chip to believe is Current Time, and
(just to be on the safe side) one 60-second time-slot fore and aft.  

   Thus, an ACE system will at any given moment accept three (3) SecurID
token-codes as valid, if it is accompanied by a valid user-memorized PIN.
And each token-code, as you doubtless know, is a pseudo-random number,
which is to say that having one will not allow you to guess or calculate
the others.

   The ACE system does record all token-codes as they are used -- a
SecurID token code can only be used once, period -- but, no,  it does not
calculate all token-codes for all supported tokens continuously.  (Each
SecurID does keep calculating and displaying the ongoing PRN token-code
series.)

      The SecurID token-code is calculated by putting the token's Current
Time and a token-specific Secret Key or "seed" through a SDI-proprietary
one-way function, a cryptographic message digest.  The token-code is the
result.

   There is one search mode, but it is not an authentication mode.  

   The ACE database keeps a record of each token's use, and if a token has
not been used for a prolonged period (two weeks to two months, the
sysadmin decides)... and a valid PIN is submitted with an invalid
token-code, a special scan mode kicks in to minimize "false rejections"
due to clock drift.

   Essentially, the ACE system -- working from what it's database
suggested the token would use as Current Time -- calculates a series of
"token-codes," searching for a match to the one submitted by the user.  It
can only search ten time-units (30 or 60 seconds each) in either
direction, and typically the search is far more constrained at the
direction of the sysadmin.  

   If it finds a match for the submitted token-code,  it adjusts it's
database record on the token-clock's drift pattern, and then invites the
user to submit yet another token-code.  The SDI guys used to call it a
"Next PRN" call.

   If you've got any serious question, you might check out their web site

   Suerte,

               _Vin

 
 
 

SecurID card and chat

Post by Sean Reifschneid » Sat, 24 Feb 1996 04:00:00





>: I too has to log on with securID.  I am experimenting with dip to
>: get into an interactive session to enter the dynamic password and the
>: remote server accept the login but requires me to do a continue

Here is a couple of scripts I put together to do PPP into my company
network using SecurID:

========================================================================
doppp
========================================================================
#!/bin/sh

echo -e 'SecurID: \c'
read securid
sed 's/%SECURID/'$securid'/' </etc/ppp/chat.proto >/etc/ppp/chat.chat

/usr/sbin/pppd cua0 38400 file options.ppp

========================================================================
chat.proto
========================================================================
""
"\date1v1q0dt5551212"
"CONNECT"
"\c"
"ATTENTION--ATTENTION"
"\c"
"Username:--Username:"
"USERNAME"
"Password:"
"%SECURID"
""
"\d\r\d\r"
">-->-->"
"ppp default"

========================================================================

The doppp creates a chat.chat script with your securid in it.  You'll
also need to create an options.ppp.  Then just run 'doppp' and it will
ask you for your securid including the secret part.

Sean
--
"We just wanted to give the band a little more thrust than most other bands."
        - Donald Fagen's reply to why they chose the band name 'Steely Dan'

URL: <http://www.tummy.com/xvscan>  HP-UX/Linux/FreeBSD X11 scanning software.

 
 
 

1. PPP - Interactive chat scripts for Sun using Securid

Hi folks,

I'm running Solaris 2.5.1 on a Sparc 10 with CDE. We have a Cisco
Communication server for Dialup that uses the Securid Ace server to
authenticate users.

The Securid authentication requires a new randomly generated password
every 30 seconds so I cannot use the regular chat script to supply a
Username and Password. With Win95 and MS 3.1/Trumpet Winsock, I'm able
to receive a terminal window to type in the Username and Password. After
this point, I type ppp and am able to connect with that protocol.

How do I setup an interactive chat script to get a terminal?

I have used "cu" to connect successfully and receive the prompts but
when I type "ppp" to engage the protocol, there is no handshaking going
on. I really didn't think there would be, but I tried. ;-)

Any help would be appreciated.

Thanks,

Dave

--
Dave Marshall               | I'll take a flight to Beverly Hills, just
Unix Administration         | before dawn, and knock the little jockies
Rockwell Avionics - Collins | off the rich peoples lawns and before they

2. Slackware 1.2.0 and Mitsumi CDROM

3. ACE SecurID and PPP/chat

4. Ensuring only root uses a command?

5. PPP/CHAT: chat won't chat with modem, why?

6. kde theme?

7. linux PPP and Security Dynamics securID card

8. Old root commands

9. Matrox Mystique ands X.

10. SecurID card with Linux?

11. Good realtime chat program and chat boards for Unix WWW server?

12. altos chat, shell replacement type chat for linux?

13. ppp in chat mode, how to debug chat script