Administrators can download the attached pam_sidtest zip file which contains two compiled programs for the Red Hat 7 & SUSE 11 operating systems. Usage:
- Download the pam_sidtest.zip file from this knowledge article.
- Unpack the zip file to extract two pam_sidtest programs (pam_sidtest/64bit/REDHAT/pam_sidtest & pam_sidtest/64bit/SUSE/pam_sidtest).
- Copy the appropriate version of pam_sidtest onto the operating system hosting the RSA Authentication Agent 7.x for PAM software.
NOTE: by default the RSA Authentication Agent for PAM gets installed into the /opt/pam folder by default so pam_sidtest could be copied into /opt/pam/bin/64bit folder which also stores the acestatus, acetest & ns_conv_util applications. Refer to the Troubleshooting section of the RSA Authentication Agent 7.1 for PAM—Installation and Configuration for further information on the usage of these applications.
- Create a file called /etc/pam.d/pam_sidtest and add a single line in this file:
auth required pam_securid.so debug
- Create an environment variable called VAR_ACE that points to the folder where the SecurID configuration files are stored.
Example:
VAR_ACE=/var/ace export VAR_ACE NOTE: By default SecurID configuration files ( sdconf.rec, sdopts.rec, sdstatus.1 & securid) are located in the /var/ace folder.
- The SecurID PAM module pam_securid.so uses a configuration file called /etc/sd_pam.conf so make sure this file is configured as per RSA Authentication Agent 7.1 for PAM Installation and Configuration Guide.
Example: this example of /etc/sd_pam.conf will challenge all users with the exception of root and debug has been enabled (RSATRACELEVEL & RSATRACEDEST).
#VAR_ACE :: the location where the sdconf.rec, sdstatus.12 and securid files will go # default value is /var/ace VAR_ACE=/var/ace #RSATRACELEVEL :: To enable logging in UNIX for securid authentication # :: 0 Disable logging for securid authentication # :: 1 Logs regular messages for securid authentication # :: 2 Logs function entry points for securid authentication # :: 4 Logs function exit points for securid authentication # :: 8 All logic flow controls use this for securid authentication # NOTE :: For combinations, add the corresponding values # default value is 0 RSATRACELEVEL=8 #RSATRACEDEST :: Specify the file path where the logs are to be redirected for securid authentication. # :: If this is not set, by default the logs go to Error output. RSATRACEDEST=/tmp/PAMdebug.log #ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support # default value is 0 ENABLE_USERS_SUPPORT=1 #INCL_EXCL_USERS :: 0 exclude users from securid authentication # :: 1 include users for securid authentication # default value is 0 INCL_EXCL_USERS=0 #LIST_OF_USERS :: a list of users to include or exclude from SecurID Authentication...Example: LIST_OF_USERS=root #PAM_IGNORE_SUPPORT_FOR_USERS :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion support # :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support # default value is 0 PAM_IGNORE_SUPPORT_FOR_USERS=0 #ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support # default value is 0 ENABLE_GROUP_SUPPORT=0 #INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid authentication (include) # :: 0 to never prompt the listed groups for securid authentication (exclude) # default value is 0 INCL_EXCL_GROUPS=0 #LIST_OF_GROUPS :: a list of groups to include or exclude...Example LIST_OF_GROUPS= #PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership # :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership # default value is 0 PAM_IGNORE_SUPPORT=0 #AUTH_CHALLENGE_USERNAME_STR :: prompt message to ask user for their username/login id AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : #AUTH_CHALLENGE_RESERVE_REQUEST_STR :: prompt message to ask administrator for their System password AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root : #AUTH_CHALLENGE_PASSCODE_STR :: prompt message to ask user for their Passcode AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE : #AUTH_CHALLENGE_PASSWORD_STR :: prompt message to ask user for their Password AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD : #BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS :: 0 Disable retry UNIX authentication after failed login attempt # :: 1 Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay # :: 2 Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay # :: 3 Enable retry UNIX authentication after failed login attempt with pow(3, failattempts) sec delay # :: 4 Enable retry UNIX authentication after failed login attempt with pow(4, failattempts) sec delay # :: 5/Above Enable retry UNIX authentication after failed login attempt with pow(5/Above, failattempts) sec delay # :: If no BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS setting is present, then treated as pow(4, failattempts) sec delay # default value is 4 BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS=4
- Use the pam_sidtest program as root to test the RSA Authentication Agent for PAM module.
Examples: ..on SUSU Enteprise Server 11: suse11sp4:/opt/pam/bin/64bit # ./pam_sidtest ----- READ THIS !!! ---------------- This is program tests the pam_securid module Make sure that you have a file called /etc/pam.d/pam_sidtest with the following line : auth required pam_securid.so debug ------------------------------------ Environment variable VAR_ACE points to [/var/ace]. Make sure that sdconf.rec is in that folder and that the folder permissions are at least 0644 Enter USERNAME:rsatest Enter PASSCODE: Authenticated suse11sp4:/opt/pam/bin/64bit #
..on Red Hat 7 server: [root@redhat7 64bit]# ./pam_sidtest ----- READ THIS !!! ---------------- This is program tests the pam_securid module Make sure that you have a file called /etc/pam.d/pam_sidtest with the following line : auth required pam_securid.so debug ------------------------------------ Environment variable VAR_ACE points to [/var/ace]. Make sure that sdconf.rec is in that folder and that the folder permissions are at least 0644 Enter USERNAME:rsatest Enter PASSCODE: Authenticated [root@redhat7 64bit]#
Should the message 'pam_authenticate() failed with reason [7]: Authentication failure' appear during authentication testing then check the following:
- Valid credentials have been entered at the prompts.
- An authentication agent record exists for the server hosting the RSA Authentication Agent for PAM. Check in the Security Console > Access > Authentication Agents > Manage Existing.
- Use the real-time authentication monitor to check how the authentication manager deployment is processing the authentication (Security Console > Reporting > Real-time Activity Monitors > Authentication Activity Monitor > click Start Monitor button).
- Review the PAM module debug that was written to /var/log/messages.
|