000026743 - Securid PAM Agent for Linux: Two examples (sshd and telnet) that demonstrate how to stack a unix authentication with SecurID two factor authentication

The following sshd will prompt users who ssh to a unix machine first for a password, then prompt for a two factor SecurID auth:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_securid.so
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

NOTE: If you are not receiving a PASSCODE prompt for the second authentication prompt, you will need to check /etc/ssh/sshd_config and insure the ChallengeResponseAuthentication parameter is set to yes, i.e. 

ChallengeResponseAuthentication yes

If it is not set to yes, perform the change and then restart ssh as root:

    service sshd restart

The following remote file will prompt users who telnet to a unix machine first for a password, then prompt for a two factor SecurID auth:

#%PAM-1.0
auth          required     pam_securetty.so
auth          required     pam_stack.so service=system-auth
auth          required     pam_nologin.so
auth          required     pam_securid.so
account     required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so open