Notes on the integration of Tis authentication into ssh

Tis authentication differ from the normal password authentication in
that the user is presented a challenge he has to meet. The nature of
the challenge and the response depends on the authentication method
assigned to each user kown by the authentication server. Ssh and sshd
had to be modified to present the challenge generated by the
authentication server to the user. This couldn't be done without
extending the protocol used between ssh and sshd. Howether, Tis aware
ssh clients can connect to non Tis aware sshd servers.

If the "TISAuthentication" option is set to "yes" on both the client
and server side, the authentication method is the following:
    - the client (ssh) asks for tis authentication to the server (sshd),
    - the server tries to connect to authsrv (Tis' authentication
      server) and asks for identifying the user. If authsrv is not
      accessible or do not know about the user, sshd sends an
      authentication failure message to the client (ssh) and waits for
      another authentication method request. If authsrv knows about
      the user, it sends the challenge sentence to sshd. Sshd sends
      the sentence to the client,
    - the client prompts the challenge to the user and read the
      passphrase,
    - the client sends the passphrase to sshd,
    - sshd sends the passphrase to authsrv,
    - authsrv responds to sshd with "ok" or "Permission denied". In
      the first case, sshd sends back an success message to the
      client. In the second case, it sends a failure message to the
      client and shuts down the connection.

The connection between sshd and Tis' authentication server is in clear
text! If the authentication server is on the same host as sshd, this
should not be a security concern. Howether, if they are on separate
hosts, you should make sure that the network connecting them can be
trusted.

Technically, only sshd needs the Tis libraries. It means that ssh is
always "Tis aware", while sshd needs to be compiled with Tis support
(see "--with-tis" option to configure)

Like any application linked with the Tis libraries, sshd need a line
similar to:
    *: authserver aaa.bbb.ccc.ddd 7777
in netperm-table (specified during the installation of the Tis
libraries. Usually /usr/local/etc/netperm-table). The Tis firewall
toolkit can be found at http://www.tis.com.

USING SSH AND TIS' FIREWALL TOOLKIT.

Since there is no proxy for ssh, you configure sshd on one of your
hosts to authenticate users through the authentication server of the
firewall and configure the plug-gw application on the firewall to
forward any packet it receives on port 22 to your sshd server.

If you have any comments about this implementation, or better yet, would
like to contribute to it(!), please feel free to send me some e-mail at
Andre.April@cediti.be.
 
Regards,