Install the following modules on the machine prior to installing the Authentication Agent for PAM.
- Install the RSA prerequisites:
- selinux-policy-devel.rpm
- noarchpolicycoreutils-devel.rpm
sudo yum install selinux-policy-devel*.noarch policycoreutils-devel*
- Create the /opt/rsa directory.
mkdir /opt/rsa
- Create a text file called /opt/rsa/sdopts.rec with the following content:
CLIENT_IP=<IP address of the server on which you are installing the PAM agent>
- Ensure that both the new sdopts.rec file and the sdconf.rec file are owned by root:root and have the permissions of 644 (owner can read/write, group and world read only):
chown root:root /opt/rsa/sdopts.rec chmod 644 /opt/rsa/sdopts.rec chownr root:root /opt/rsa/sdconf.rec chmod 600 /opt/rsa/sdconf.rec
- Make a backup copy of /etc/ssh/sshd_config file
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
- Update the /etc/ssh/sshd_config file to include the following values:
UsePam yes PasswordAuthentication no UsePrivilegeSeparation no ChallengeResponseAuthentication yes PublicKeyAuthentication no
- Untar the PAM-Agent tar ball in to any local directory.
tar -xvf <filename>.tar
- Execute the install_pam.sh shell script located in the PAM-Agent directory created from unpacking the tar ball. Make sure to supply the correct path the sdconf.rec (/opt/rsa), otherwise you will use the default responses for all questions asked during the install.
/<filename>/install_pam.sh
- Update the /etc/sd_pam.conf file such that the VAR_ACE variable points to the correct location of the sdconf.rec file located in /opt/rsa.
- Update the /etc/pam.d/sshd file as follows:
- Comment out ALL lines containing "auth"
- Add the following line to the bottom of the file:
auth required pam_securid.so
- Restart sshd. As root,
/usr/sbin/sshd restart
- Test authentication by executing /opt/pam/bin/64bit/acetest.
- Test SSH authentication from a remote host.
|