Configuring RSA Authentication Agent 7.1 for PAM on SELinux
Originally Published: 2017-06-30
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 7.1
Platform: Linux
Issue
An administrator would like to enable SELinux on a machine with the RSA Authentication Agent 7.1 for PAM.
SELinux requires certain modules to be installed first, otherwise it will not work after installing the PAM agent.
Cause
The required modules for SELinux are not installed prior to installing the RSA Authentication Agent 7.1 for PAM.
Resolution
Install the following modules on the machine prior to installing the Authentication Agent for PAM.
- Install the RSA prerequisites:
- selinux-policy-devel.rpm
- noarchpolicycoreutils-devel.rpm
sudo yum install selinux-policy-devel*.noarch policycoreutils-devel*
- Create the /opt/rsa directory.
mkdir /opt/rsa
- Create a text file called /opt/rsa/sdopts.rec with the following content:
CLIENT_IP=<IP address of the server on which you are installing the PAM agent>
- Ensure that both the new sdopts.rec file and the sdconf.rec file are owned by root:root and have the permissions of 644 (owner can read/write, group and world read only):
chown root:root /opt/rsa/sdopts.rec chmod 644 /opt/rsa/sdopts.rec chownr root:root /opt/rsa/sdconf.rec chmod 600 /opt/rsa/sdconf.rec
- Make a backup copy of /etc/ssh/sshd_config file
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old
- Update the /etc/ssh/sshd_config file to include the following values:
UsePam yes PasswordAuthentication no UsePrivilegeSeparation no ChallengeResponseAuthentication yes PublicKeyAuthentication no
- Untar the PAM-Agent tar ball into any local directory.
tar -xvf <filename>.tar
- Execute the install_pam.sh shell script located in the PAM-Agent directory created from unpacking the tar ball. Make sure to supply the correct path the sdconf.rec (/opt/rsa), otherwise you will use the default responses for all questions asked during the install.
/<filename>/install_pam.sh
- Update the /etc/sd_pam.conf file such that the VAR_ACE variable points to the correct location of the sdconf.rec file located in /opt/rsa.
- Update the /etc/pam.d/sshd file as follows:
- Comment out ALL lines containing "auth"
- Add the following line to the bottom of the file:
auth required pam_securid.so
- Restart sshd. As root,
/usr/sbin/sshd restart
- Test authentication by executing /opt/pam/bin/64bit/acetest.
- Test SSH authentication from a remote host.
Notes
The following is the output from the install_pam.sh from the point that the EULA is accepted:
Do you accept the License Terms and Conditions stated above? (Accept/Decline) [D]A Enter Directory where sdconf.rec is located [/var/ace]/opt/rsa Please enter the root path for the RSA Authentication Agent for PAM directory [/opt] The RSA Authentication Agent for PAM 7.1 will be installed in the /opt directory. pam/ pam/doc/ pam/doc/auth_agent_PAM_RHEL.pdf pam/doc/auth_agent_PAM_SUSE.pdf pam/bin/ pam/bin/64bit/ pam/bin/64bit/acestatus pam/bin/64bit/acetest pam/bin/64bit/ns_conv_util pam/bin/32bit/ pam/bin/32bit/ns_conv_util pam/bin/32bit/acestatus pam/bin/32bit/acetest pam/lib/ pam/lib/64bit/ pam/lib/64bit/pam_securid.so pam/lib/32bit/ pam/lib/32bit/pam_securid.so ********************************************************************** * Adding label for pam_securid.so * ValueError: File spec /lib64/security//pam_securid.so conflicts with equivalency rule '/lib64 /usr/lib'; Try adding '/usr/lib/security//pam_securid.so' instead * Adding label for /opt/rsa directory * * Creating rsapolicy.pp policy file * Compiling targeted rsapolicy module /usr/bin/checkmodule: loading policy configuration from tmp/rsapolicy.tmp /usr/bin/checkmodule: Module name local is different than the output base filename rsapolicy make: *** [tmp/rsapolicy.mod] Error 1 libsemanage.map_file: Unable to open rsapolicy.pp (No such file or directory). libsemanage.semanage_direct_install_file: Unable to read file rsapolicy.pp (No such file or directory). semodule: Failed on textrel_shlib_t.pp! ********************************************************************** Checking /etc/sd_pam.conf: VAR_ACE does not exist - entry will be appended RSATRACELEVEL does not exist - entry will be appended RSATRACEDEST does not exist - entry will be appended ENABLE_USERS_SUPPORT does not exist - entry will be appended INCL_EXCL_USERS does not exist - entry will be appended LIST_OF_USERS does not exist - entry will be appended PAM_IGNORE_SUPPORT_FOR_USERS does not exist - entry will be appended ENABLE_GROUP_SUPPORT does not exist - entry will be appended INCL_EXCL_GROUPS does not exist - entry will be appended LIST_OF_GROUPS does not exist - entry will be appended PAM_IGNORE_SUPPORT does not exist - entry will be appended AUTH_CHALLENGE_USERNAME_STR does not exist - entry will be appended AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist - entry will be appended AUTH_CHALLENGE_PASSCODE_STR does not exist - entry will be appended AUTH_CHALLENGE_PASSWORD_STR does not exist - entry will be appended BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS does not exist - entry will be appended
Related Articles
Unexpected error from ACE/Agent API for RSA Authentication Agent for PAM Number of Views Enable Linux password authentication along with RSA Authentication Agent for PAM Number of Views Manually generate a node secret for RSA Authentication Agent for PAM Number of Views RSA MFA Agent 9.0.1 for PAM - Installation and Configuration Guide for Oracle Linux RHEL Ubuntu CentOS and Rocky Linux Number of Views RSA MFA Agent 9.0 for PAM - Installation and Configuration Guide for Oracle Linux RHEL Ubuntu CentOS and Rocky Linux Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
