Next: The GSSAPI mechanism, Previous: The NTLM mechanism, Up: Mechanisms [Contents][Index]
The SECURID mechanism uses authentication and authorization identity together with a passcode from a hardware token to authenticate users.
In the client, this mechanism is always enabled, and it requires the
GSASL_AUTHID
and GSASL_PASSCODE
properties. If set,
GSASL_AUTHZID
will also be used. If the server requests it,
the GSASL_PIN
property is also required, and its callback may
inspect the GSASL_SUGGESTED_PIN
property to discover a
server-provided PIN to use.
In the server, this mechanism will invoke the
GSASL_VALIDATE_SECURID
callback. The callback may inspect the
GSASL_AUTHID
, GSASL_AUTHZID
, and GSASL_PASSCODE
properties. The callback can return
GSASL_SECURID_SERVER_NEED_ADDITIONAL_PASSCODE
to ask for
another additional passcode from the client. The callback can return
GSASL_SECURID_SERVER_NEED_NEW_PIN
to ask for a new PIN code
from the client, in which case it may also set the
GSASL_SUGGESTED_PIN
property to indicate a recommended new PIN.
If the callbacks is invoked again, after having returned
GSASL_SECURID_SERVER_NEED_NEW_PIN
, it may also inspect the
GSASL_PIN
property, in addition to the other properties, to
find out the client selected PIN code.
The SECURID mechanism is specified in RFC 2808.