VanDyke Software Forums

VanDyke Software Forums (
-   General (
-   -   RSA SecurID PIN setup doesn't work under SSH session (

bposner 01-22-2016 11:59 AM

RSA SecurID PIN setup doesn't work under SSH session
Hey All, got a head scratch-er for ya...

We're implementing RSA SecurID 2-Factor logins for all of our Cisco gear. We currently use Cisco ACS 5.8 and TACACS+ for all of our AAA needs. We've got the RSA server and ACS talking nicely now. However, we cannot seem to get token PINs setup when using an SSH session in SecureCRT. I can use any other SSH software (OSX terminal, Putty on Windows) or a standard Telnet session but NOT an SSH session in SecureCRT.

When we setup a new token, the user connects to a switch/router with their login name and then enters just their token code as read from their hardware or soft token. The systems then processes the user as setting up their PIN and will prompt accordingly. They then enter their PIN twice, once at each prompt, and then, usually they're all set. Any subsequent logins afterwards are performed using their login name and PASSCODE (PIN + TOKENCODE).

This PIN setup process is the one that doesn't work in SecureCRT under an SSH session. Instead of getting the PASSCODE prompt we get a standard Password prompt and no PIN setup dialogs as all. This process works under a telnet session and it works in SSH for other SSH applications... very weird. Once the PIN is setup SSH under SecureCRT works fine. It's just this PIN setup that is borked.

Anyone have any ideas? I have tried enabling "Display logon prompts in the terminal window" in the Logon Actions area for a session but it didn't seem to help.


rtb 01-22-2016 12:27 PM

Hi BPosner,

SecureCRT defaults to password authentication if the server indicates that it supports password authentication. It sounds like the server either doesn't support password authentication or doesn't support password authentication for this specific scenario even though it sounds like the server is advertising support for password authentication.

If you move Keyboard Interactive authentication to the top of the Authentication list for your session, do you get better results?

You can make this change in the Quick Connect dialog or in the Connection / SSH2 category of the Session Options dialog if you have a saved session.

bposner 01-22-2016 12:51 PM

that worked perfectly! thanks very much!

rtb 01-22-2016 01:49 PM

Hi BPosner,

Thanks for the update. I am glad to hear that you have a solution.

If you want to modify the default used by SecureCRT or you want to modify some of your sessions to use Keyboard Interactive authentication, you can use one of the following tips:

netguy 02-26-2016 02:36 PM


I was really curious on your implementation of RSA authentication. Our organization currently has a requirement for two factor authentication. We are currently using Cisco ACS and TACACs+ for AAA as well. Curious to know what RSA server software, hardware tokens, etc. that you used.

All times are GMT -6. The time now is 01:58 AM.