000038366 - Unchallenged Active Directory users fail to authenticate with RSA Authentication Agent for PAM

Document created by RSA Customer Support Employee on Jan 22, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038366
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
IssueWhen an unchallenged Active Directory user tries to authenticate to a Linux system protected using the RSA Authentication Agent for PAM, they are asked to provide a password. However, after entering the password, authentication fails even though the password is correct.  
CauseThe RSA Authentication Agent for PAM Installation Guide instructs administrators to comment all auth modules in the protected service and keep pam_securid.so as the only available auth module. This is shown in the example below:

#%PAM-1.0
auth    required pam_securid.so
#auth    required pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin


That is acceptable if the environment is dealing with internal Linux users, as pam_securid.so can handle both SecurID authentication and Linux authentication. However, when it gets to Active Directory users, pam_securid.so cannot handle Active Directory authentication. 
 
ResolutionThe solution would be to add the module that can handle Active Directory authentication. Whether it would be pam_winbind.so, pam_sssd.so or some other module. That would depend on how Active Directory is integrated. After adding the needed module, stack them in a way to achieve the required output. Moreover, you must change the config of PAM to pass non-SecurID authentications to subsequent modules. 

This configuration authenticates the SecurID passcode first then the AD password for challenged users and only the AD password for unchallenged users. In this example, assume that AD integration is using WinBind.



  1. In /etc/sd_pam.conf, change both PAM_IGNORE_SUPPORT_FOR_USERS and PAM_IGNORE_SUPPORT to 1, as shown in bold:

    #PAM_IGNORE_SUPPORT_FOR_USERS
    #              :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion support
    #              :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support
    # default value is 0
    PAM_IGNORE_SUPPORT_FOR_USERS=1

    #PAM_IGNORE_SUPPORT
    #              :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership
    #              :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership
    # default value is 0
    PAM_IGNORE_SUPPORT=1

  2. In the protected module (for example, sshd /etc/pam.d/sshd), change the auth config to be as follows.

    auth    required pam_securid.so not_set_pass
    auth    required pam_windbind.so
    #auth    required pam_sepermit.so
    #auth       substack     password-auth
    #auth       include      postlogin

If you would like SecurID authenticated users not to be asked for their AD password, this can be achieved using PAM complex control values as shown below. However, these advanced control values are not supported on all Linux systems. Check your operating system documentation to know whether it is supported for your version. 


auth    [success=done ignore=ignore default=die]  pam_securid.so  not_set_pass
auth    required pam_windbind.so
#auth    required pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin

Attachments

    Outcomes