000031069 - Enable password integration with RSA SecurID Authentication Agent for PAM

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031069
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA-SecurID-Authentication-Agent-for-PAM
RSA Version/Condition: 7.0.2.1, 7.1
IssueThis article provides information on how to:
  • Add the Unix password as an extra layer of security along with the SecurID passcode (PIN + tokencode); or
  • Enable some users to login with their passwords only without the SecurID passcode. 
TasksThe following tasks will need to be completed:
  • Configure the pam.d config file that corresponds to the service for which you want to configure SecurID access (e.g., sshd, su, sudo).
  • Configure the SecurID PAM module configuration file (sd_pam.conf). 
  • This article assumes that the basic configuration steps were made for the specific module that are included in the PAM guide (documentation available here).
  • In this article we review editing the SSH service as an example.
ResolutionScenario 1:  Enable SecurID users in the challenge group to enter a passcode (PIN + tokencode) then the system password while users who are not part of SecurID challenge group only enter their system password
1.  Login to the server on which the PAM agent is installed.
2.  Sudo to root.

sudo su - root

3.  Navigate to /etc/pam.d.

cd /etc/pam.d


4.  Make a copy of the ssdh file.

cp ./sshd > ./sshd.rsabackup


5.  Using a text editor, edit /etc/pam.d/sshd:

vim /etc/pam.d/sshd


6.  Modify the file so the pam_securid.so and pam_unix.so values are as follows: 

auth    required        pam_securid.so
auth    required        pam_unix.so


7.  Now edit the sd_pam.conf to ignore users that are not in the SecurID challenge group:
  • Login to the server on which the PAM agent is installed.
  • Sudo to root.
sudo su - root

  • Navigate to /etc:
cd /etc

8.  Take a backup of the sd_pam.conf file.
cp ./sd_pam.conf > ./sd_pam.conf.rsabackup

9.  Edit the sd_pam.conf:
vim /etc/sd_pam.conf

10.  Here is where you configure to ignore users who are not challenged by SecurID, meaning if, from this same file, you excluded users or groups from SecurID authentication, then the SecurID PAM module will be transparent to them, and from the configuration in the previous file we see it will jump directly to the Unix system password challenge only.  To do this, add the following entries to the file with a value of 1 to ignore users and groups:
 

PAM_IGNORE_SUPPORT_FOR_USERS=1
PAM_IGNORE_SUPPORT=1


Scenario 2:  Users that are part of the SecurID challenge group are prompted for a passcode, all other users are prompted for their system password or another default authentication method
This methodology is used when you want users who are part of a SecurID challenge group to be prompted for a passcode and users not in the challenge group to authenticate with only a system password or whatever the customer set as the default authentication method, other than SecurID.  Note:  This second part is out of this article's scope. The customer is to configure whatever authentication method he'd like.

1.  Login to the server on which the PAM agent is installed.
2.  Sudo to root.

sudo su - root

3.  Navigate to /etc/pam.d.

cd /etc/pam.d

4.  Make a copy of the sshd file.

cp ./sshd > ./sshd.rsabackup

5. Using a text editor, edit /etc/pam.d/sshd:
vim /etc/pam.d/sshd

6.  Modify the file so the pam_securid.so value is as follows: 
auth    required        pam_securid.so

7.  Navigate to /etc and make a copy of the sd_pam.conf:
cd /etc
cp ./sd_pam.conf > ./sd_pam.conf.rsabackup

8.  Open the sd_pam.conf in a text editor:
vim /etc/sd_pam.conf

9.  Edit the sd_pam.conf to ignore users not in the SecurID challenge group.  Here is where you configure the system to ignore users who are not challenged by SecurID, meaning if, from this same file, you excluded users or groups from SecurID authentication, then the SecurID PAM module will be transparent to them, and from the configuration in the previous file we see it will jump directly to the Unix system password challenge only.  
  • Edit those settings for excluding user(s) from SecurID authentication:
INCL_EXCL_USERS=1
LIST_OF_USERS=<someUser>
PAM_IGNORE_SUPPORT_FOR_USERS=0


  • This will challenge only the specific user(s) listed. After editing this entry, configure PAM_IGNORE_SUPPORT_FOR_USERS to NOT ignore users, thus the SecurID PAM module will be responsible for either SecurID two factor authentication or passwords, so also edit the following entry:
PAM_IGNORE_SUPPORT_FOR_USERS=0


NotesNotes for Scenario 1:
  • The entry for pam_unix.so performs authentication with the usual Unix password files, /etc/passwd and /etc/shadow. 
  • For other flavors of Unix, the name of the pam_*.so file may change.  An internet search for "<OS> system password pam module" will list other versions.
  • The required entry means that all required modules in a stack must pass for a successful result. If one or more of the required module fails, all of the required modules in the stack are implemented, but the first error is returned.
  • These two lines will have a user authenticate with his SecurID passcode and then his Linux system password

Attachments

    Outcomes