HP-UX

Is anyone here familiar with implementing multi-factor authentication on HP-UX 11.31? Either with a PIV card, or with an RSA token? We've been tasked with implementing this on our servers, but I'm not finding much in the way of products or information. To complicate matters, our servers are running in Trusted Mode.

Any leads are appreciated, thanks.

All authentication is done by PAM.
Read man pam

If you have the money for the tokens (I have carried many), the vendors help you get set up. I am not an SA focused guy.

Once, I proposed writing a free lightweight one where on top of the password, there was a challenge-response from a small database or flat file. You take a printout home and answer from that. Challenges get a one time use, so you need to generate a new set and print it out now and then. I guess you could put it in a file and automate it. What you have and what you know = 2 things. You might be able to set it up as a shell wrapper in passwd that demands the response before starting your shell.

I'm familiar with using tokens to authenticate a VPN network connection, but I have not seen them in use for authenticating users to an individual server, especially an HP-UX server running in Trusted Mode. I could call around to the vendors and see what they can offer, but was more curious if anyone here had already implemented such a thing, and what products they used, and what their opinions were on the solution.

That's a clever idea, and may even meet our requirement. Running in Trusted Mode however I think would rule that out. Trusted Mode is very different animal when it comes to user authentication.

Why would trusted mode be different? It still lets users in with password to specified shell, if so configured, I expect, already, usually.

Because trusted mode has a database of the users, and also restrictions for password aging, complexity requirements, and other things. And it shadows the passwd file.

Additionally, there are more than a few 3rd party applications that flat out don't work in Trusted Mode, and the application vendor does not support running in Trusted Mode.

I am sure there are some behaviors for Trusted Mode after you log in, as some apps are not supported in int, but you mention things about login only.

My point is that by assigning a special shell to the account, you have an additional opportunity to apply access controls. I suppose that if stty processing is up before the shell, the tty might generate a signal, but the shell can handle that, and there is no other shell for it to break out to. The special shell can do additional authentication before exec*() of a normal shell or disconnect. It can even set a marker file for excess failed tries and lock the account.