|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: RSA Authentication Agent for PAM
RSA Version/Condition: 8.0
Platform (Other): Red Hat 6.8 (64-bit)
|Issue||There is a requirement to apply two-factor authentication to the GNOME screensaver found in the GNOME desktop for Red Hat Linux Enterprise 6.8.|
NOTE: After following the installation instructions for a UDP (from page 19) and GDM configuration (page 27) from the RSA Authentication Agent 8.0 for PAM Installation and Configuration Guide for Oracle and RHEL please test to confirm that the SecurID PAM module is working using the steps in article 000035465 Testing the RSA Authentication Agent for PAM Module.
|Cause||The GNOME screensaver on behalf of the <user> requires read permissions to the /var/ace/lib/64bit/libpamrest.so library and the node secret file called /var/ace/securid.|
|Resolution||An administrator is required to have root privileges at the command line of the Red Hat Enterprise Linux 6.8 server and must be familiar with Linux commands to navigate the Linux directory structure, to make changes to files and update file and folder permissions.|
Using the methodology provided in the RSA Authentication Agent 8.0 for PAM Installation and Configuration Guide for configuring PAM components the /etc/pam.d/gnome-screensaver is updated and the change is shown below in bold. Existing auth lines are commented out with a hash and a new line for the pam_securid, so library is inserted after the first comment line.
After the change to /etc/pam.d/gnome-screensaver the <user> will see the GNOME screensaver flicker and not prompt for a password or passcode and the /var/log/messages file will report an error:
The <user> requires access to the /var/ace/lib/64bit/libpamrest.so library.
Where the <user> does have read access to /var/ace/lib/64bit/libpamrest.so the <user> will get prompted to enter a passcode. After entering a valid passcode a message ‘Checking’ appears for a period of time and then the <user> is returned back to the passcode prompt. Looking at the real-time authentication activity monitor during authentication the message “Node secret mismatch: cleared on the agent but not on server” was seen, however the RSA Authentication Agent for PAM already had a SecurID (node secret) file in /var/ace but with 400 permissions. Changing the permissions of SecurID to 444 will allow the GNOME screensaver, on behalf of the <user>, to access the node secret file and after successful authentication, the <user> was returned back to the desktop.
Below are the file and folder permissions found to get the GNOME screensaver to work with RSA Authentication Agent 8.0 for PAM:
RSA has not officially published changes to /etc/pam.d/gnome-screensaver for Red Hat Enterprise Linux 6/7 in the RSA Authentication Agent 8.x for PAM Installation and Configuration Guides, so, therefore, these changes have not gone through the RSA qualification process. Changing permissions to these two files and perhaps the folder structure they reside in is at the customer’s own risk.