000026743 - How to stack a Unix authentication followed by SecurID prompt with the RSA Authentication Agent for PAM for SSH and Telnet logins.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 26, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000026743
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Agent for PAM
RSA Version/Condition:  7, 6, 5
Platform:  Red Hat Enterprise Linux
O/S Version:  32-bit and 64-bit RHEL 6, 5, 4
IssueThis article provides information on how to stack a Unix login prompt with a SecurID password prompt for two factor authentication.
Resolution

Make a backup of the configuration file you are editing before making modifications to any PAM configuration files.



On Linux, the location of the PAM configuration files is /etc/pam.d.

The following sshd will prompt users who ssh to a Unix machine first for a password, then prompt for a two factor SecurID authentication:




#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_securid.so
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so



If you are not receiving a passcode prompt for the second authentication prompt, check the /etc/ssh/sshd_config file and ensure the ChallengeResponseAuthentication parameter is set to yes, as in the example below:




ChallengeResponseAuthentication yes


If it is not set to yes, make the change and then restart ssh as root:




service sshd restart


The following remote file will prompt users who telnet to a Unix machine first for a password, then prompt for a two factor SecurID authentication:


#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
auth       required     pam_securid.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open
NotesAll PAM configuration files on Red Hat Linux are located in /etc/pam.d. 

Each protocol (sshd, rlogin, telnet (also known as "remote"), etc.) has its' own unique file name.  This differs from Solaris, which uses a single file /etc/pam.conf, for PAM configuration directives.
Legacy Article IDa61027

Attachments

    Outcomes