000025482 - RSA ACE/Agent for PAM not working with most recent versions of OpenSSH

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025482
Applies ToOpenSSH 3.7x and greater
RSA Authentication Agent for PAM
Red Hat Linux 7.3
The compile options change OpenSSH from prompting from password to passcode. OpenSSH 3.6 and lower work with just the ./configure --with-pam, but shows password.
IssueRSA ACE/Agent for PAM not working with most recent versions of OpenSSH
A core Red Hat Linux 7.3 installation without running Red Hat update compiling with the above options terminates the connection immediately after entering your passcode
OpenSSH displays password not passcode prompt
ssh to securid protected OpenSSH hangs after connection and does not display authentication prompt
ssh to securid protected OpenSSH terminates connection immediately after authentication
CauseCertain options that appeared to be compiled in by default are no longer present
ResolutionTo correct this issue, run Red Hat update and ensure that the OS is up to most recent build / versions. Compile OpenSSH with the following options:

    ./configure --with-cflags=-DUSE_POSIX_THREADS --with-libs=-lpthread --with-pam

NOTE: OpenSSH 3.8p1 has a bug that causes the SSH daemon to close connections right after authentication when USE_POSIX_THREADS is defined (regardless of whether SecurID authentication is being used or not). OpenSSH has released a patch that resolves this issue. If you wish to use the RSA ACE/Agent for PAM with OpenSSH 3.8p1, you must apply the following patch before compiling OpenSSH. Otherwise, your SSH server will not allow versions 3.9p1 and newer.

diff -r -c old/auth-pam.c new/auth-pam.c
*** old/auth-pam.c Tue Feb 17 05:20:08 2004
--- new/auth-pam.c Thu Feb 26 23:18:05 2004
*** 201,206 ****
--- 201,207 ----
  debug3("PAM: %s entering", __func__);
  /* Import variables set by do_pam_account */
  sshpam_account_status = buffer_get_int(b);
*** 228,233 ****
--- 229,235 ----
+ #endif
Legacy Article IDa22087