000026743 - Securid PAM Agent for Linux: Two examples (sshd and telnet) that demonstrate how to stack a unix authentication with SecurID two factor authentication

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000026743
Applies ToRSA SecurID agent for Linux (agent versions 5, 6 and 7)
RHEL 4, 5 and 6, both 32 or 64 bit OS versions
IssueSecurid PAM Agent for Linux: How to stack a unix login prompt with a Securid Password prompt
There are limited references in documentation on how to correctly stack two modules for authentication via the PAM agent
ResolutionOn linux, the location of the pam configuration files are /etc/pam.d

The following sshd will prompt users who ssh to a unix machine first for a password, then prompt for a two factor SecurID auth:


#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_securid.so
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so


NOTE: If you are not receiving a PASSCODE prompt for the second authentication prompt, you will need to check /etc/ssh/sshd_config and insure the ChallengeResponseAuthentication parameter is set to yes, i.e. 


ChallengeResponseAuthentication yes


If it is not set to yes, perform the change and then restart ssh as root:


    service sshd restart


 


 

The following remote file will prompt users who telnet to a unix machine first for a password, then prompt for a two factor SecurID auth:


#%PAM-1.0
auth          required     pam_securetty.so
auth          required     pam_stack.so service=system-auth
auth          required     pam_nologin.so
auth          required     pam_securid.so
account     required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open

NotesAll PAM configuration files on RHEL are located in /etc/pam.d.  Each protocol (sshd, telent (or as its known to pam as a configuration file, "remote"), rlogin etc) has its own unique file name.  This differs from Solaris, which uses a single file /etc/pam.conf, for PAM configuration directives.
You should always, as a best practice, make a backup of the configuration file you are changing before making modifications to any PAM configuration files.
Legacy Article IDa61027

Attachments

    Outcomes