000035465 - Testing the RSA Authentication Agent for PAM Module

Document created by RSA Customer Support Employee on Sep 11, 2017Last modified by RSA Customer Support Employee on Sep 11, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035465
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Agent for PAM
RSA Version/Condition: 7.1
Platform : Linux
Platform (Other) : Red Hat 7 (64-bit) / SUSE 11 (64-bit)
IssueRSA Authentication Agent 7.1 for PAM module does not authenticate users however the 'acetest' program is successfully authenticating users.
ResolutionAdministrators can download the attached pam_sidtest zip file which contains two compiled programs for the Red Hat 7 & SUSE 11 operating systems.
Usage:
  1. Download the pam_sidtest.zip file from this knowledge article.
  2. Unpack the zip file to extract two pam_sidtest programs (pam_sidtest/64bit/REDHAT/pam_sidtest & pam_sidtest/64bit/SUSE/pam_sidtest).
  3. Copy the appropriate version of pam_sidtest onto the operating system hosting the RSA Authentication Agent 7.x for PAM software.
NOTE: by default the RSA Authentication Agent for PAM gets installed into the /opt/pam folder by default so pam_sidtest could be copied into /opt/pam/bin/64bit folder which also stores the acestatus, acetest & ns_conv_util applications. Refer to the Troubleshooting section of the RSA Authentication Agent 7.1 for PAM—Installation and Configuration for further information on the usage of these applications.

  1. Create a file called /etc/pam.d/pam_sidtest and add a single line in this file:


auth required pam_securid.so debug


  1. Create an environment variable called VAR_ACE that points to the folder where the SecurID configuration files are stored.
Example:



VAR_ACE=/var/ace export VAR_ACE

NOTE: By default SecurID configuration files (sdconf.rec, sdopts.rec, sdstatus.1 & securid) are located in the /var/ace folder.

  1. The SecurID PAM module pam_securid.so uses a configuration file called /etc/sd_pam.conf so make sure this file is configured as per RSA Authentication Agent 7.1 for PAM Installation and Configuration Guide.
Example: this example of /etc/sd_pam.conf will challenge all users with the exception of root and debug has been enabled (RSATRACELEVEL & RSATRACEDEST).



#VAR_ACE ::  the location where the sdconf.rec, sdstatus.12 and securid files will go
# default value is /var/ace
VAR_ACE=/var/ace
#RSATRACELEVEL :: To enable logging in UNIX for securid authentication
#                   :: 0 Disable logging for securid authentication
#                   :: 1 Logs regular messages for securid authentication
#                   :: 2 Logs function entry points for securid authentication
#                   :: 4 Logs function exit points for securid authentication
#                   :: 8 All logic flow controls use this for securid authentication
# NOTE              :: For combinations, add the corresponding values
# default value is 0
RSATRACELEVEL=8
#RSATRACEDEST :: Specify the file path where the logs are to be redirected for securid authentication.
#                   :: If this is not set, by default the logs go to Error output.
RSATRACEDEST=/tmp/PAMdebug.log
#ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support
# default value is 0
ENABLE_USERS_SUPPORT=1
#INCL_EXCL_USERS :: 0 exclude users from securid authentication
#                   :: 1 include users for  securid authentication
# default value is 0
INCL_EXCL_USERS=0
#LIST_OF_USERS :: a list of users to include or exclude from SecurID Authentication...Example:
LIST_OF_USERS=root
#PAM_IGNORE_SUPPORT_FOR_USERS :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion support
#                   :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support
# default value is 0
PAM_IGNORE_SUPPORT_FOR_USERS=0
#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
# default value is 0
ENABLE_GROUP_SUPPORT=0
#INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid authentication (include)
#                 :: 0 to never prompt the listed groups for securid authentication (exclude)
# default value is 0
INCL_EXCL_GROUPS=0
#LIST_OF_GROUPS :: a list of groups to include or exclude...Example
LIST_OF_GROUPS=
#PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership
#                   :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership
# default value is 0
PAM_IGNORE_SUPPORT=0
#AUTH_CHALLENGE_USERNAME_STR :: prompt message to ask user for their username/login id
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
#AUTH_CHALLENGE_RESERVE_REQUEST_STR :: prompt message to ask administrator for their System password
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :
#AUTH_CHALLENGE_PASSCODE_STR :: prompt message to ask user for their Passcode
AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE :
#AUTH_CHALLENGE_PASSWORD_STR :: prompt message to ask user for their Password
AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD :
#BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS :: 0  Disable retry UNIX authentication after failed login attempt
#                   :: 1  Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay
#                   :: 2  Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay
#                   :: 3  Enable retry UNIX authentication after failed login attempt with pow(3, failattempts) sec delay
#                   :: 4  Enable retry UNIX authentication after failed login attempt with pow(4, failattempts) sec delay
#                   :: 5/Above  Enable retry UNIX authentication after failed login attempt with pow(5/Above, failattempts) sec delay
#                   :: If no BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS setting is present, then  treated as pow(4, failattempts) sec delay
# default value is 4
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS=4


  1. Use the pam_sidtest program as root to test the RSA Authentication Agent for PAM module.
Examples:

..on SUSU Enteprise Server 11:
suse11sp4:/opt/pam/bin/64bit # ./pam_sidtest
----- READ THIS !!! ----------------
This is program tests the pam_securid module
Make sure that you have a file called /etc/pam.d/pam_sidtest with the following line :
        auth required pam_securid.so debug
------------------------------------
Environment variable VAR_ACE points to [/var/ace].
Make sure that sdconf.rec is in that folder and that the folder permissions are at least 0644
Enter USERNAME:rsatest
Enter PASSCODE:
Authenticated
suse11sp4:/opt/pam/bin/64bit #


..on Red Hat 7 server:
[root@redhat7 64bit]# ./pam_sidtest
----- READ THIS !!! ----------------
This is program tests the pam_securid module
Make sure that you have a file called /etc/pam.d/pam_sidtest with the following line :
        auth required pam_securid.so debug
------------------------------------
Environment variable VAR_ACE points to [/var/ace].
Make sure that sdconf.rec is in that folder and that the folder permissions are at least 0644
Enter USERNAME:rsatest
Enter PASSCODE:
Authenticated
[root@redhat7 64bit]#



Should the message 'pam_authenticate() failed with reason [7]: Authentication failure' appear during authentication testing then check the following:

  • Valid credentials have been entered at the prompts.
  • An authentication agent record exists for the server hosting the RSA Authentication Agent for PAM. Check in the Security Console >  Access > Authentication Agents > Manage Existing.
  • Use the real-time authentication monitor to check how the authentication manager deployment is processing the authentication (Security Console > Reporting > Real-time Activity Monitors > Authentication Activity Monitor > click Start Monitor button).
  • Review the PAM module debug that was written to /var/log/messages.
NotesRSA Authentication Agent for PAM documentation, technical specifications and links to software can be found at URL https://community.rsa.com/community/products/securid/authentication-agent-pam

Attachments

Outcomes