SecurID PIN Server Rules
The procedure SecurID client setup on a routing-mode Screen, leads to the issue of the SecurID PIN Server (when operating in daemon mode, securid functions as a SecurID PIN Server).
The PIN Server is used to allow SecurID token holders to enter into a dialog with the ACE/Server to establish the users PIN.
PIN establishment varies depending on the type of token device options selected on the server, and so forth. They all have in common the need to have a more extensive dialog with the server than a simple password request or response, or even a password, challenge, or response. This dialog is called PIN Dance.
SecurIDs ACE/Client and ACE/Agent software contain programs that contain PIN Dance. These programs are installed in place of normal user login programs and other security hooks on a Unix client system, and enables normal user account protection through SecurID.
The PIN Server is accessed from any reasonable telnet client program (the client must allow connection to an arbitrary server port).
Create Rule(s) to allow access to this server from all hosts, where SecurID token holders are able to perform PIN establishment.
There are security issues to be considered when deciding which hosts should be allowed:
-
Unless SunScreen SKIP encryption is employed, the PIN Dance is performed in-the-clear. During the dialog, the PIN is transmitted from the client host to the server.
-
PIN transmittal, except for the PINPAD-style token, allows each successful authentication using the other tokens to contain the PIN (as the first part of the PASSCODE).
-
Since PASSCODEs are normally transmitted in-the-clear, disclosure of the PIN during the PIN Dance is not a problem. Again, except for PINPAD tokens, where the lack of PIN transmittal is a key feature, the SecurID system is quite susceptible to denial-of-service attacks. By ill-considered access to the PIN daemon, an attacker can keep tokens perpetually disabled, and from which they know the associated users name.
Once you have considered the above issues, the following is an example of what you type to create an address group to contain the various client hosts from which to allow PIN establishment, and what you type to create a rule that allows them to communicate with the Screen:
# ssadm edit configedit> add rule "SecurID PIN" PIN-clients localhost ALLOW ... |
- © 2010, Oracle Corporation and/or its affiliates