Unless there's been some recent development I haven't heard of,
incorporating user authentication (like e.g. SecurID) into IPSec
remains an open research problem. Any solution that's in use today
is a special one-off ad-hoc hack. Such a hack is easy to make.

If I needed to cook one, I'd rig a CGI that did the SecurID auth,
then enabled that user in the FreeS/WAN config, then scheduled a job
to yank that user back out (preventing new logins) after a few
minutes. I believe you can enable/disable users without disrupting
existing security associations by just frobbing the auth data, but I
haven't tried it.

Instead of a CGI, you could do this with an ssh login, or whatever
other protocol you like.

-Bennett

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8iS+OHZWg9mCTffwRAv1dAKClCAVn4xdMctEGurSCuVYvz4fbeQCgz5sH
ZbiLeLM45YLSPhmTN8eexWY=
=Mg9K
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]