Applying two-factor authentication with the RSA Authentication Agent for PAM to the GNOME screensaver found in the GNOME desktop for Red Hat Linux Enterprise 6.8
Originally Published: 2015-10-08
Article Number
Applies To
RSA Product/Service Type: RSA Authentication Agent for PAM
RSA Version/Condition: 8.0, 8.1
Platform: Linux
Platform (Other): Red Hat 6.8 (64-bit)
Issue
There is a requirement to apply two-factor authentication to the GNOME screensaver found in the GNOME desktop for Red Hat Linux Enterprise 6.8.
===================================================================================================================
NOTE: After following the installation instructions for a UDP (from page 19) and GDM configuration (page 27) from the RSA Authentication Agent 8.0 for PAM Installation and Configuration Guide for Oracle and RHEL please test to confirm that the SecurID PAM module is working using the steps in article Testing the RSA Authentication Agent for PAM Module
===================================================================================================================
Cause
Resolution
Using the methodology provided in the RSA Authentication Agent 8.0 for PAM Installation and Configuration Guide for configuring PAM components the /etc/pam.d/gnome-screensaver is updated and the change is shown below in bold. Existing auth lines are commented out with a hash and a new line for the pam_securid, so library is inserted after the first comment line.
[root@rhel68 ~]# cat /etc/pam.d/gnome-screensaver #%PAM-1.0 auth required pam_securid.so # Fedora Core #auth [success=done ignore=ignore default=bad] pam_selinux_permit.so session include system-auth #auth include system-auth #auth optional pam_gnome_keyring.so account include system-auth password include system-auth # SuSE/Novell #auth include common-auth #auth optional pam_gnome_keyring.so #account include common-account #password include common-password #session include common-session [root@rhel68 ~]#After the change to /etc/pam.d/gnome-screensaver the <user> will see the GNOME screensaver flicker and not prompt for a password or passcode and the /var/log/messages file will report an error:
Nov 15 14:07:42 rhel68 gnome-screensaver-dialog: PAM adding faulty module: /lib64/security/pam_securid.so Nov 15 14:07:42 rhel68 gnome-screensaver-dialog: PAM unable to dlopen(/lib64/security/pam_securid.so): /var/ace/lib/64bit/libpamrest.so: cannot open shared object file: Permission deniedThe <user> requires access to the /var/ace/lib/64bit/libpamrest.so library.
Where the <user> does have read access to /var/ace/lib/64bit/libpamrest.so the <user> will get prompted to enter a passcode. After entering a valid passcode a message ‘Checking’ appears for a period of time and then the <user> is returned back to the passcode prompt. Looking at the real-time authentication activity monitor during authentication the message “Node secret mismatch: cleared on the agent but not on server” was seen, however the RSA Authentication Agent for PAM already had a SecurID (node secret) file in /var/ace but with 400 permissions. Changing the permissions of SecurID to 444 will allow the GNOME screensaver, on behalf of the <user>, to access the node secret file and after successful authentication, the <user> was returned back to the desktop.
Below are the file and folder permissions found to get the GNOME screensaver to work with RSA Authentication Agent 8.0 for PAM:
[root@rhel68 var]# ls -lR ace ace: total 28 drw-r----- 2 root root 4096 Nov 15 13:33 conf drwxr-xr-x 3 root root 4096 Nov 15 13:33 lib drw-r----- 2 root root 4096 Nov 15 13:33 log -rw-r--r-- 1 root root 2778 Nov 15 13:32 sdconf.rec -rw-r--r-- 1 root root 23 Nov 15 13:33 sdopts.rec -rw-r--r-- 1 root root 2434 Nov 15 14:23 sdstatus.1 -r--r--r-- 1 root root 512 Nov 15 13:38 securid ace/conf: total 16 -rwxr-xr-x 1 root root 929 Nov 15 13:33 log.properties -rw-r----- 1 root root 2551 Nov 15 13:33 mfa_api.properties -rwxr-xr-x 1 root root 4137 Nov 15 13:33 mfa_api_template.properties ace/lib: total 4 drwxr-xr-x 2 root root 4096 Nov 15 13:33 64bit ace/lib/64bit: total 8896 lrwxrwxrwx 1 root root 20 Nov 15 13:33 liblog4cxx.so -> liblog4cxx.so.10.0.0 lrwxrwxrwx 1 root root 20 Nov 15 13:33 liblog4cxx.so.10 -> liblog4cxx.so.10.0.0 -rwxr-xr-x 1 root root 4114107 Nov 15 13:33 liblog4cxx.so.10.0.0 -rwxr-xr-x 1 root root 4989637 Nov 15 13:33 libpamrest.so ace/log: total 0 [root@rhel68 var]#
Notes
RSA has not officially published changes to /etc/pam.d/gnome-screensaver for Red Hat Enterprise Linux 6/7 in the RSA Authentication Agent 8.x for PAM Installation and Configuration Guides, so, therefore, these changes have not gone through the RSA qualification process. Changing permissions to these two files and perhaps the folder structure they reside in is at the customer’s own risk.
Related Articles
Using RSA two factor authentication (2FA) when accessing RSA Identity Governance & Lifecycle Number of Views updateReviewItems web service fails to update review items when the UserID is the same for two users in RSA Identity Gover… Number of Views Cisco ACS / ASA sends two requests to Authentication Manager 8.x Number of Views SELinux support for RSA Authentication Agent 7.1.0.1 for PAM on Red Hat Enterprise Linux Number of Views Authentication Takes Too Long When Using RSA Authentication Agent SDK 8.1.3 for Java on Red Hat Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
