000021254 - PASSCODE authentication with OpenSSH 3.8.1p1 on Solaris

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000021254
Applies ToRSA Authentication Agent for PAM
Sun Solaris 2.9
IssuePASSCODE authentication with OpenSSH 3.8.1p1 on Solaris
User is prompted for password not PASSCODE
CauseChanges in recent versions of OpenSSH cause an existing configuration which previously worked to fail under the newer code. This is not due to any bug or coding error, but simply that the older configuration options are not suitable for the newer version.
ResolutionThere are two specific changes which should be made to allow the newer OpenSSH code to use SecurID as an available PAM module.

1. Modify the sshd config file (usually /usr/local/etc/sshd_config) to have the following two parameters:

    PasswordAuthentication no
    ChallengeResponseAuthentication yes

2. Ensure that the /etc/pam.conf file has the following line:

    sshd        auth        required                pam_securid.so

Since changes have been made to the sshd_config file, the SSH daemon should be restarted. Changes to pam.conf do not require a restart, and are always dynamic.

For more information, see the solution titled How to debug OpenSSH PAM with SecurID.
WorkaroundOpenSSH has been upgraded to version 3.8.1p1
Legacy Article IDa21817