000035327 - Configuring RSA Authentication Agent 7.1 for PAM on SELinux

Document created by RSA Customer Support Employee on Jul 5, 2017
Version 1Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000035327
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 7.1
Platform: Linux
 
IssueAn administrator would like to enable SELinux on a machine with the RSA Authentication Agent 7.1 for PAM. SELinux requires certain modules to be installed first otherwise it will not work after installing the PAM agent.
 
CauseThe required modules for SELinux are not installed prior to installing the RSA Authentication Agent 7.1 for PAM.
ResolutionInstall the following modules on the machine prior to installing the Authentication Agent for PAM.
  1. Install the RSA prerequisites:
  • selinux-policy-devel.rpm
  • noarchpolicycoreutils-devel.rpm
sudo yum install selinux-policy-devel*.noarch policycoreutils-devel*

  1. Create the /opt/rsa directory.
mkdir /opt/rsa

  1. Create the file /opt/rsa/sdopts.rec with the following content:
CLIENT_IP=<IP address of the server on which you are installing the PAM agent>

  1. Ensure that the sdconf.rec file is owned by root:root and has the permissions of 600 (owner can read/write):
chown root:root /opt/rsa/sdconf.rec
chmod 600 /opt/rsa/sdconf.rec

  1. Make a backup copy of /etc/ssh/sshd_config file
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old

  1. Update the /etc/ssh/sshd_config file to include the following values:
UsePam yes
PasswordAuthentication no
UsePrivilegeSeparation no
ChallengeResponseAuthentication yes
PublicKeyAuthentication no

  1. Untar the PAM-Agent tar ball in to any local directory.
tar -xvf <filename>.tar

  1. Execute the install_pam.sh shell script located in the PAM-Agent directory created from unpacking the tar ball.  Make sure to supply the correct path the sdconf.rec (/opt/rsa), otherwise you will use the default responses for all questions asked during the install.
/<filename>/install_pam.sh

  1. Update the /etc/sd_pam.conf file such that the VAR_ACE variable points to the correct location of the sdconf.rec file located in /opt/rsa.
  2. Update the /etc/pam.d/sshd file as follows:
    1. Comment out ALL lines containing "auth"
    2. Add the following line to the bottom of the file:
auth  required     pam_securid.so

  1. Restart sshd.
  2. Test authentication by executing /opt/pam/bin/64bit/acetest.
  3. Test SSH authentication from a remote host.
Notes

Below is the output from the install_pam.sh from the point that the EULA is accepted:


Do you accept the License Terms and Conditions stated above? (Accept/Decline) [D]A
Enter Directory where sdconf.rec is located [/var/ace]/opt/rsa

Please enter the root path for the RSA Authentication Agent for PAM directory [/opt]
The RSA Authentication Agent for PAM 7.1 will be installed in the /opt directory.
pam/
pam/doc/
pam/doc/auth_agent_PAM_RHEL.pdf
pam/doc/auth_agent_PAM_SUSE.pdf
pam/bin/
pam/bin/64bit/
pam/bin/64bit/acestatus
pam/bin/64bit/acetest
pam/bin/64bit/ns_conv_util
pam/bin/32bit/
pam/bin/32bit/ns_conv_util
pam/bin/32bit/acestatus
pam/bin/32bit/acetest
pam/lib/
pam/lib/64bit/
pam/lib/64bit/pam_securid.so
pam/lib/32bit/
pam/lib/32bit/pam_securid.so
**********************************************************************
*         Adding label for pam_securid.so                            *
ValueError: File spec /lib64/security//pam_securid.so conflicts with equivalency rule '/lib64 /usr/lib'; Try adding '/usr/lib/security//pam_securid.so' instead
*         Adding label for /opt/rsa directory                        *
*         Creating rsapolicy.pp policy file                          *
Compiling targeted rsapolicy module
/usr/bin/checkmodule:  loading policy configuration from tmp/rsapolicy.tmp
/usr/bin/checkmodule:  Module name local is different than the output base filename rsapolicy
make: *** [tmp/rsapolicy.mod] Error 1
libsemanage.map_file: Unable to open rsapolicy.pp
(No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file rsapolicy.pp
(No such file or directory).
semodule:  Failed on textrel_shlib_t.pp!
**********************************************************************
Checking /etc/sd_pam.conf:
VAR_ACE does not exist - entry will be appended
RSATRACELEVEL does not exist - entry will be appended
RSATRACEDEST does not exist - entry will be appended
ENABLE_USERS_SUPPORT does not exist - entry will be appended
INCL_EXCL_USERS does not exist - entry will be appended
LIST_OF_USERS does not exist - entry will be appended
PAM_IGNORE_SUPPORT_FOR_USERS does not exist - entry will be appended
ENABLE_GROUP_SUPPORT does not exist - entry will be appended
INCL_EXCL_GROUPS does not exist - entry will be appended
LIST_OF_GROUPS does not exist - entry will be appended
PAM_IGNORE_SUPPORT does not exist - entry will be appended
AUTH_CHALLENGE_USERNAME_STR does not exist - entry will be appended
AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSCODE_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSWORD_STR does not exist - entry will be appended
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS does not exist - entry will be appended

Attachments

    Outcomes