000032275 - How to configure the RSA SecurID Authentication Agent 7.1 for PAM to also prompt for the user's Windows Active Directory password wtih SSH

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032275
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA SecurID Authentication Agent for PAM
RSA Version/Condition: 7.1
Issue In a customer's use case, a Red Hat 7 server is configured to use Active Directory for user authentication then the RSA SecurID Authentication Agent for PAM is installed to protect SSH.  After installing the PAM agent, a requirement was added for the user to not enter both the passcode and Windows login credentials.
Many customers have asked RSA support for this configuration information so this article was written to provide an example.
Tasks1.  Have SSH configured with the Authentication Agent for PAM set to authenticate against LDAP or Active Directory.
2.  Add the PAM agent and configure for passcde
ResolutionThe original /etc/pam.d/sshd is shown below.  This configuration is useful to those who want both the passcode and Windows Active Directory password to be entered for authentication.
auth      required     pam_securid.so
auth      substack     password-auth
auth      include      postlogin

To prevent the Windows password prompt, edit /etc/pam.d/sshd by changing the following from:
auth      required     pam_securid.so

auth      sufficient   pam_securid.so

This modifies the authentication behavior so Active Directory users are prompted to enter their passcode, but not their Windows password.