000015931 - Does RSA PAM Agent support SELinux?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015931
Applies ToPAM Agent 6.0
Redhat
SELinux Security Enhanced Linux
Support for SELinux
IssueDoes RSA PAM Agent support SELinux?
What can I configure with SELinux?
acetest authentication works
Authentication via SSH or other method fails with RSA
ResolutionThe Agent for PAM was not designed for use with linux running in an SELinux configuration,  it has not been QA'd, and is not officially supported with this configuration.  The "RSA Authentication Agent 6.0 for PAM Installation and Configuration Guide" P17 shows an example of configuring RHEL /etc/pam.d/login; while the default configuration has lines that reference SELinux, this doesn't imply the RSA Agent for PAM includes any support for the SE configuration. Download the PDF here
Contact RSA Support to Request an Enhancement to the PAM agent if you need full support for SELinux

Red Hat Linux (all supported versions):
1. Change to /etc/pam.d and open the login file.
The following text is displayed:
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
RSA Authentication Agent 6.0 for PAM Installation and Configuration Guide
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open
2. Comment out the following lines:
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
3. Replace them with the following lines:
auth required pam_securid.so
auth required pam_ldap.so
Notes

Enhancement Request ID: AAPAM-370

Legacy Article IDa43512

Attachments

    Outcomes