Firewall CLI Authentication via Securid on SPLAT

[Avertive]

Can firewall administrator remote CLI sessions (ssh) be configured to authenticate to securid on SPLAT (R55) rather than the local user store? We're using similar external, stronger authentication methods for router/switch adminstration and am hoping we can with firewalls too.

Could it be as easy as copying the necessary sdconf.rec file into /var/ace on SPLAT and establishing a client authentication rule (source = ssh stepping stone, destination = firewall, authenticated services = ssh)? Or do these actions only works for SecuRemote users rather than firewall administration? Or does SPLAT not like it (most documentation I've read in FAQ thus far predates SPLAT)?

Thanks in advance!

[czech12]

I have never tried this before, but I think it can be done just based on how SecurID authenticates Linux sessions.

Basically, you have to change the passwd file to enter the SecurID shell. That is how it knows to prompt you for your SecurID Passcode. You then have to define what shell you want to be put into when you authenticate successfully, in this case, it would be the cpshell.

I guess you could use Client Authentication to do this, but you could not use partically automatic authentication cause it will only authenticate certain services and SSH is not one of them. This means you will have to telnet to the firewall on port 259 or http to the firewall on port 900 and authenticate with SecurID, then SSH to the firewall and authenticate into the cpshell as normal. I doubt this is what you want to do.

I will see if I can find documentation on RSA Linux Agents, but if you want to test it, let me know how it goes... If I ever get a chance to do it, I'll let you know how it works! =)