000035723 - There is no RSA SecurID Authentication Manager PAM agent for Ubuntu Linux

Document created by RSA Customer Support Employee on Nov 23, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035723
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for UNIX/Linux
RSA Version/Condition: PAM agent
Platform: Ubuntu Linux
 
IssueWe need to deploy a dedicated Ubuntu machine, and my question is whether or not I can get RSA 2FA on the Ubuntu machine. Our environment, outside of the one Ubuntu machine, is 100% Windows-domain based, so we are unsure if we can have the one Linux machine enrolled in the SecurID schema. I tried getting the .msi of Authentication Agent 7.3.3 to run inside of Wine, but setup would fail at the end. Also, if it is possible to get it installed and working with our Windows-based RSA server, do I need to enlist the Ubuntu machine in our Windows domain?
TasksThere is no RSA SecurID Authentication Manager agent, PAM or otherwise, for Ubuntu, so options are 
1. Use PAM with RADIUS, or
2. Develop an Ubuntu agent using the REST API
 
ResolutionRSA SecurId PAM agents work on Red Hat, Suse, Solarus, and some older ones worked on HP UX, but nothing for the Debalin family such as Ubuntu.  If you could configure PAM to communicate RADIUS, you could point that to an RSA Auth Manager server, any version really, and authenticate that way.  You would need to add the Ubuntu as a RADIUS Client with the associated agent in the AM security Console.  This would involve two main things;
  1. Figuring out how to configure PAM for RADIUS
  2. Figuring out how to configure Auth Manager to accept authentication requests from a RADIUS client
Option 1 would involve creating a RADIUS client with associated authentication agent in the Authentication Manager Security Console.
 
Option 2 would be to write your own Ubuntu agent using either our Java agent API ver. 8.1 SP3 (I recommend avoiding the ‘newer’ ver. 8.5 or 8.6 TCP agent API) or using our latest REST agent API.  REST is new and now supported on AM ver. 8.2 SP1 and there seems to be a lot more development work going on with this new authentication API. 
https://community.rsa.com/community/products/securid/blog/2017/07/20/guide-to-getting-started-with-the-am-82-sp1-rest-api-test-app
 
NotesThere is an RFE or Request for Enhancement for this, AAPAM-661 - RFE - PAM agent for Ubuntu Linux, but no activity currently from Product Management or Sales to drive this.

Attachments

    Outcomes