000037990 - Adding additional operating system accounts to RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Sep 25, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037990
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
IssueThis article provides steps to add additional operating system accounts to RSA Authentication Manager.  Additional operating system accounts allow you to:
  • Track different administrator activity in Linux, and 
  • Provide a separate authenticated SSH account for a vulnerability scan tool; for example, your IT department is requesting SSH access in order to perform and authenticated scan the RSA Authentication Manager appliance.

 
TasksFor a user to gain access to Linux, they need three things:
  1. A user ID in /etc/passwd.
  2. Access to SSH.  This will require a restart of sshd.
  3. Access to sudo.  This is optional if you want to prevent root and rsaadmin access via sudo.

Note: This means it is possible to give a scan account for your IT team SSH access without sudo access, by eliminating step 3.  
ResolutionTo add an additional user, follow the steps below:
  1. Launch an SSH client, such as PuTTY.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.



  1. Use sudo su - to gain root access:


login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Sep  4 11:32:58 2019 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> sudo su -
rsaadmin's password: <enter operating system password>
am82p:~ #


  1. Add the new user ID in /etc/passwd  and set password for the user ID.  ScanAdmin is used in this example:


am82p:~ # useradd -m ScanAdmin
am82p:~ # passwd ScanAdmin
Changing password for ScanAdmin.
New Password: <enter new password>
Reenter New Password: <reenter new password>
Password changed.


  1. Before continuing, take a backup of /etc/ssh/sshd_config:


am82p:~ # cd /etc/ssh/
am82p:~ # cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk


  1. Allow access to SSH by ScanAdmin by editing /etc/ssh/sshd_config:


am82p:~ # vi /etc/ssh/sshd_config


  1. Scroll down to the text # Example of overriding settings on a per-user basis.
  2. Press i to enter Insert mode.
  3. Add the newly created ScanAdmin user ID at end of last line, as shown.  Note there is just a space separating the user IDs.


# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
AllowUsers rsaadmin ScanAdmin


  1. When done press Escape (Esc) to exit Insert mode.
  2. To save changes and close, type :wq!  To close the file without saving, type :q!
  3. Restart sshd after saving the file changes:


am82p:~ # /sbin/service sshd restart
Shutting down the listening SSH daemon                   done
Checking for missing server keys in /etc/ssh
Starting SSH daemon                                      done


  1.  Optionally, you can allow access to sudo by the ScanAdmin user.  Edit the sudoers file:


visudo -s -f /etc/sudoers 


Note that if you use vi, you will have to confirm overwrite when saving.


  1. Scroll down to the bottom of the file and look for #Samples.
  2. Press i to enter Insert mode.
  3. Insert a blank line under the rsaadmin line.
  4. Copy the complete rsaadmin line and paste it below the existing rsaadmin information.  
  5. In the second line, replace rsaadmin with ScanAdmin.


# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
rsaadmin ALL = (ALL) ALL, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.sh, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.py
ScanAdmin ALL = (ALL) ALL, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.sh, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.py


  1. When done press Escape (Esc) to exit Insert mode.
  2. To save changes and close, type :wq!  To close the file without saving, type :q!
NotesThe RSA Authentication Manager appliance does not have a root account that can logon to SSH or the console, it has the rsaadmin operating system account and password created at deployment, and allows root access through sudo with the rsaadmin password.

Attachments

    Outcomes