SecurID authentication for OpenSSH is done as a patch for the official portable release of OpenSSH. It is done as challenge response authentication and securid-1@ssh.com authentication (a non-standard solution provided in commercial implementations from F-Secure and SSH). All SecurID token states are covered (Next token code and New PIN). Privilege separation is fully supported.
