Next: The GSSAPI mechanism, Previous: The NTLM mechanism, Up: Mechanisms [Contents][Index]
The SECURID mechanism uses authentication and authorization identity together with a passcode from a hardware token to authenticate users.
In the client, this mechanism is always enabled, and it requires the
GSASL_AUTHID and GSASL_PASSCODE properties. If set,
GSASL_AUTHZID will also be used. If the server requests it,
the GSASL_PIN property is also required, and its callback may
inspect the GSASL_SUGGESTED_PIN property to discover a
server-provided PIN to use.
In the server, this mechanism will invoke the
GSASL_VALIDATE_SECURID callback. The callback may inspect the
GSASL_AUTHID, GSASL_AUTHZID, and GSASL_PASSCODE
properties. The callback can return
GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE to ask for
another additional passcode from the client. The callback can return
GSASL_SECURID_SERVER_NEED_NEW_PIN to ask for a new PIN code
from the client, in which case it may also set the
GSASL_SUGGESTED_PIN property to indicate a recommended new PIN.
If the callbacks is invoked again, after having returned
GSASL_SECURID_SERVER_NEED_NEW_PIN, it may also inspect the
GSASL_PIN property, in addition to the other properties, to
find out the client selected PIN code.
The SECURID mechanism is specified in RFC 2808.