000031069 - Enable Linux password authentication along with RSA Authentication Agent for PAM

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 21, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000031069
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
IssueThis article provides information on how to:
  • Add the Unix password as an extra layer of security along with the passcode (PIN + tokencode); or
  • Enable some users to login with their passwords only without the passcode. 
TasksThe following tasks will need to be completed:
  • Configure the pam.d config file that corresponds to the service for which you want to configure SecurID access (e.g., sshd, su, sudo).
  • Configure the SecurID PAM module configuration file (sd_pam.conf). 
  • This article assumes that the basic configuration steps were made for the specific module that are included in the RSA SecurID Authentication Agent 8.1 for PAM.
  • In this article we review editing the SSH service as an example.
Resolution

Scenario 1


Enable SecurID users in the challenge group to enter a passcode (PIN + tokencode) then the system password while users who are not part of SecurID challenge group only enter their system password

  1. Login to the server on which the RSA Authentication Agent for PAM is installed.
  2. Change to root:


sudo su - root


  1. Navigate to /etc/pam.d:



cd /etc/pam.d



  1. Make a copy of the sshd file:



cp ./sshd > ./sshd.rsabackup



  1. Using a text editor, edit /etc/pam.d/sshd:



vim /etc/pam.d/sshd



  1. Modify the file so the pam_securid.so and pam_unix.so values are as follows: 



auth    required        pam_securid.so
auth    required        pam_unix.so



  1. Edit the sd_pam.conf to ignore users that are not in the SecurID challenge group:
    1. Login to the server on which the PAM agent is installed.
    2. Change to root:


su - root



  1. Navigate to /etc:




cd /etc


  1. Take a backup of the sd_pam.conf file.


cp ./sd_pam.conf > ./sd_pam.conf.rsabackup


  1. Edit the sd_pam.conf:


vim /etc/sd_pam.conf


  1. Here is where you configure to ignore users who are not challenged by SecurID; meaning if, from this same file, you excluded users or groups from SecurID authentication, then the SecurID PAM module will be transparent to them, and from the configuration in the previous file we see it will jump directly to the Unix system password challenge only.  To do this, add the following entries to the file with a value of 1 to ignore users and groups:


PAM_IGNORE_SUPPORT_FOR_USERS=1
PAM_IGNORE_SUPPORT=1

 


Scenario 2


Users that are part of the SecurID challenge group are prompted for a passcode while all other users are prompted for their system password or another default authentication method.

This methodology is used when you want users who are part of a SecurID challenge group to be prompted for a passcode and users not in the challenge group to authenticate with only a system password or whatever the customer set as the default authentication method, other than SecurID.  
 

Note: Configuring an authentication method other than SecurID is out of this article's scope. The customer is to configure whatever authentication method required to meet corporate requirements.



  1. Login to the server on which the RSA Authentication Agent for PAM is installed.
  2. Change to root:


sudo su - root


  1. Navigate to /etc/pam.d:



cd /etc/pam.d



  1. Make a copy of the sshd file:



cp ./sshd > ./sshd.rsabackup



  1. Using a text editor, edit /etc/pam.d/sshd:



vim /etc/pam.d/sshd



  1. Modify the file so the pam_securid.so value is as follows: 


auth    required        pam_securid.so


  1. Navigate to /etc and make a copy of the sd_pam.conf:


cd /etc
cp ./sd_pam.conf > ./sd_pam.conf.rsabackup


  1. Open the sd_pam.conf in a text editor:


vim /etc/sd_pam.conf


  1. Edit the sd_pam.conf to ignore users not in the SecurID challenge group.  Here is where you configure the system to ignore users who are not challenged by SecurID; meaning if, from this same file, you excluded users or groups from SecurID authentication, then the SecurID PAM module will be transparent to them, and from the configuration in the previous file we see it will jump directly to the Unix system password challenge only.  
    1. Edit those settings for excluding user(s) from SecurID authentication:


INCL_EXCL_USERS=1
LIST_OF_USERS=<someUser>
PAM_IGNORE_SUPPORT_FOR_USERS=0



  1. This will challenge only the specific user(s) listed. After editing this entry, configure PAM_IGNORE_SUPPORT_FOR_USERS to NOT ignore users, thus the SecurID PAM module will be responsible for either SecurID two factor authentication or passwords, so also edit the following entry:


PAM_IGNORE_SUPPORT_FOR_USERS=0


Notes

Notes for Scenario 1



  • The entry for pam_unix.so performs authentication with the usual Unix password files, /etc/passwd and /etc/shadow. 
  • For other flavors of Unix, the name of the pam_*.so file may change.  An internet search for <OS> system password pam module will list other versions.
  • The required entry means that all required modules in a stack must pass for a successful result. If one or more of the required module fails, all of the required modules in the stack are implemented, but the first error is returned.
  • The two lines of auth required pam_securid.so and auth required pam_unix.so will have a user authenticate with their SecurID passcode and then their Linux system password.

Attachments

    Outcomes