000028047 - PAM Agent for AIX (5.X and 6.X) - Is it possible to configure sudo to use securid

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000028047
Applies ToAM 7.1 & 6.1
Pam Agent 5.X and 6.X for IBM AIX
IssuePAM Agent for AIX (5.X and 6.X) - Is it possible to configure sudo to use securid
A tail of messages with the agent in debug mode shows that the pam module is not being called when sudo is issued:

May 24 13:55:48 rwxe10l5 auth|security:notice sudo:   cindy: TTY=pts/1 ; PWD=/home/cindy ; USER=root ; COMMAND=/usr/bin/su -
CauseSudo is not a standard installation program on AIX.  It is instead included in the aix toolkit cd (freeware). The version included on the toolkit cd is not compiled with PAM enabled. 
ResolutionGenerally, the following procedure can be used.  Sudo is freeware, therefore there are no expressed or implied warranties included with this methodology.  Please inform customers that this methodology is provided on an "as is" basis.  RSA does not do specific qualifications on public domain versions of sudo, therefore direct customers to IBM if they wish to lodge a complaint/rfe about the lack of pam support in the sudo program bundled with AIX.

To build a pam compatibile sudo program on AIX (or other unix platform)

Obtain the latest stable source code for sudo from
http://www.courtesan.com/sudo

For this document sudo-1.7.2p6 was used.

gunzip and tar the source into /opt/source/sudo
cd to the /opt/source/sudo/sudo-1.7.2p6

Compile it as follows, insuring to use the --with-pam switch.

bash-3.00# ./configure --with-pam

Then make:
bash-3.00# make

Then make install:
bash-3.00# make install

Add these paths to your existing paths to use sudo:
bash-3.00#PATH=$PATH:/usr/local/bin:/usr/local/sbin:/usr/ccs/bin
bash-3.00#export PATH

Check to insure your sudo is the newly compiled sudo:

bash-3.00# which sudo
/usr/local/bin/sudo
bash-3.00# sudo -V | grep -i version
Sudo version 1.7.2p6

Update your pam.conf to use sudo with pam_securid.so:

bash-3.00# cat /etc/pam.conf | grep sudo
sudo    auth    required        /usr/lib/security/pam_securid.so
 
Become a test user, and execute a sudo command:
 
bash-3.00# su cindy
bash-3.00$ whoami
cindy
bash-3.00$ sudo vi /etc/hosts
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
 
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
 
Enter PASSCODE:


Legacy Article IDa51145

Attachments

    Outcomes