000031450 - SecurID PAM agent not protecting the gnome-screensaver page on redhat in RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jul 29, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000031450
Applies ToRSA Product Set: SecurID

RSA Product/ Service Type: Authentication Manager

RSA Version/Condition: 8.x
 
IssueTrying to secure the gnome-screensaver on Redhat 6 machine to use the Securid Pam module,
After editing gnome-screensaver to use "pam_securid" module as the  as the following:
 
[root@rh64-pam71-1 var]# cat /etc/pam.d/gnome-screensaver
***************************************************************************************
#%PAM-1.0
# Fedora Core
#auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
session    include      system-auth
#auth       include     system-auth
#auth       optional     pam_gnome_keyring.so
auth     required       pam_securid.so
account    include      system-auth
password   include      system-auth
# SuSE/Novell
#auth       include      common-auth
#auth       optional     pam_gnome_keyring.so
#account    include      common-account
#password   include      common-password
#session    include      common-session
***************************************************************************************


The screensaver page on the Redhat sever is not load the authentication prompt of RSA and keep flashing,
On another Redhat server the authentication page is loading, user enter the correct credentials but get authentication failed, and on the RSA AM server the authentication activity monitor shows "Node Secret verification" error message.
CauseThe ace directory which contains the node secret has restricted permissions. As a result, the node secret cannot be read during the authentication via gnome-screensaver.
ResolutionYou will need to give the ace directory full permissions to read, write and execute for the owner, group and others group.
Example:
#chmod 777 ace
The sdconf.rec and securid (node secret) files both need to have the read permissions for the other groups.
WorkaroundStep 1:

Give the ace directory the full permissions to read, write and execute: 

chmod 777 /var/ace



Step 2:

To give the sdconf.rec and securid (node secret) files the needed permissions , execute the following command:



chmod a+r /var/ace/sdconf.rec /var/ace/securid

Attachments

    Outcomes