|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Agent for PAM
|Issue||When an unchallenged Active Directory user tries to authenticate to a Linux system protected using the RSA Authentication Agent for PAM, they are asked to provide a password. However, after entering the password, authentication fails even though the password is correct.|
|Cause||The RSA Authentication Agent for PAM Installation Guide instructs administrators to comment all auth modules in the protected service and keep pam_securid.so as the only available auth module. This is shown in the example below:|
That is acceptable if the environment is dealing with internal Linux users, as pam_securid.so can handle both SecurID authentication and Linux authentication. However, when it gets to Active Directory users, pam_securid.so cannot handle Active Directory authentication.
|Resolution||The solution would be to add the module that can handle Active Directory authentication. Whether it would be pam_winbind.so, pam_sssd.so or some other module. That would depend on how Active Directory is integrated. After adding the needed module, stack them in a way to achieve the required output. Moreover, you must change the config of PAM to pass non-SecurID authentications to subsequent modules. |
This configuration authenticates the SecurID passcode first then the AD password for challenged users and only the AD password for unchallenged users. In this example, assume that AD integration is using WinBind.