The following are example of SecureID configurations.
To configure a SecurID stub client (while root in a shell on screen):
# cd /var/tmp # /usr/lib/sunscreen/lib/securid_stubclient_setup sdconf.rec |
To create the registry address objects to describe the ACE/Servers, while logged into the Screen:
admin% ssadm -r screen edit Initial edit> add address acemaster HOST .... edit> add address aceslave HOST .... edit> add address aceservers GROUP { acemaster aceslave } { } ... edit> save |
To continue adding the SecurID client-to-server policy rule:
edit> add rule securid localhost aceservers ALLOW |
To add the ACE/Server server-to-server policy rule:
edit> add rule securidprop aceservers aceservers ALLOW |
To add two PIN server policy rules -- one that allows the end-user SKIP Administration Station to access the PIN server, the other for unencrypted access for inside hosts:
edit> add rule "SecurID PIN" admin localhost SKIP_VERSION_2 remote screen.admin DES-CBC RC4-40 MD5 NONE ALLOW edit> add rule "SecurID PIN" inside localhost ALLOW |
You should place these rules early enough in the policy so that their action takes place before the action of other conflicting (DENY or less-secure) rules.
To augment the standard admin user to allow SecurID authentication (the existing value is first displayed for clarity):
edit> authuser print admin "admin" ENABLED PASSWORD={ "" CRYPT_PASSWORD="1hp1R.xm.w63Q" ENABLED } DESCRIPTION="(created by install)" REAL_NAME="SunScreen Administrator" edit> authuser add admin password={ "" crypt_password="1hp1R.xm.w63Q" } securid={ ssadmin } description="updated for either simple password or SecurID" real_name="SunScreen Administrator" |
To save and activate the augmented policy:
edit> save edit> quit admin% ssadm -r screen activate Initial |
To perform PIN establishment of the token (from the Administration Station):
admin% telnet screen 3855 Trying 1.2.3.4... Connected to screen. Escape character is '^]'. SunScreen V3.2 SecurID PIN / Re-keying Server Enter SecurID login: ssadmin Enter PASSCODE: 6-digit-passcode-from-token New PIN required; do you wish to continue? (y/n) [n]: y Now enter your new PIN, containing 4 to 8 digits, or press Return to generate a new PIN and display it on the Screen, or end the connection to cancel the New PIN procedure: 4-digit-PIN Please reenter new PIN: 4-digit-PIN Wait for the code on your token to change, then connect again with the new PIN Connection closed by foreign host. |
The configuration is now complete. After the code on the token changes (up to one minute later), administrative access to the Screen can be obtained using SecurID. The SunScreen administrative user's name is still admin, but you supply as the password the 4-digit-PIN value (established above) followed immediately by the 6-digit value displayed by the token.
In the example, the simple-text password can also be allowed to establish administrator authenticity.