How to Install and Configure the RSA PAM Agent on Solaris Operating System with RSA Authentication Manager.
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
Issue
Tasks
- Login as Root user.
- Prepare the server. (Optional: If deployed on VM take snapshot of server.)
- Install the Agent.
- Configure the Agent.
Resolution
Supported operating system by PAM Agent 8.1.X:
- Solaris 10 SPARC Update 11 (32-bit and 64-bit) with Zones
- Solaris SPARC 11.2 (32-bit and 64-bit)
- Solaris 10 x86 Update 11 (32-bit)
- Solaris x86 11.3 (32-bit)
RSA® Authentication Agent 8.1 for PAM Installation and Configuration Guide for Solaris :
https://community.rsa.com/t5/securid-authentication-agent-for/tkb-p/auth-agent-pam-documentation
SecurID® Authentication Agent for PAM Downloads Link:
https://community.rsa.com/t5/securid-authentication-agent-for/tkb-p/auth-agent-pam-downloads
Procedure:-
Step 1:
If the ace directory is not already present in /var: then create a directory with named /ace in the /var directory as a root user with below command.
cd /var mkdir ace
Log in to the Security Console and navigate to Access > Agents. Then add a new agent entry (Hostname and IP) for the Solaris server.
Step 3:
Generate the sdconf.rec file from the Security Console by going to Access > Authentication Agents > Generate Configuration File > Download.
Unzip "AM_Config.zip" file and transfer sdconf.rec to /var/ace/ directory.
Step 4:
By executing the below command in /var/ace/ directory it will create a new text file named "sdopts.rec" and add the agent host ip to it:
echo “CLIENT_IP=X.X.X.X” > /var/ace/sdopts.rec
# Where < X.X.X.X > is the IP of the Solaris server
Step 5:
Take backup of sshd_config file present in directory /etc/ssh/sshd_config file.
cp /etc/ssh/sshd_config /etc/ssh/sshd_config-$(date +%d-%b).bak
Step 6:
Modify the values in sshd_config file as mentioned below and save the changes:
PAMAuthenticationViaKBDInt yes PasswordAuthentication no ChallengeResponseAuthentication yes
Step 7:
Restart the sshd service using the below command:
Step 8:
svcadm restart network/ssh
Download the PAM installation file and transfer it to the /tmp directory on Solaris server.
Untar the downloaded PAM installation file using the following commands:
Untar the downloaded PAM installation file using the following commands:
tar -xvf PAM-Agent-filename.tar cd PAM-Agent_sol_x86_v8.1.4
Step 9:
You can either manually install the PAM agent on individual machines, or you can choose silent installation to automate the process of deploying multiple copies of the PAM agent.
9.A Silent Installation method:
To install the PAM Agent on multiple servers with identical configuration information through Silent Installation method it can be achieved by creating a text-based configuration file where the Installation configuration options for the PAM agent install script are specified.
You can choose any name for the configuration file, such as 'installscript.conf'. If you are installing multiple PAM agents, this configuration file can be used. However, if the installation is for a single server, you can skip this step."
To install the PAM Agent on multiple servers with identical configuration information through Silent Installation method it can be achieved by creating a text-based configuration file where the Installation configuration options for the PAM agent install script are specified.
You can choose any name for the configuration file, such as 'installscript.conf'. If you are installing multiple PAM agents, this configuration file can be used. However, if the installation is for a single server, you can skip this step."
- To configure the PAM agent with Authentication Manager on UDP mode, the text file 'installscript.conf' should contain the following values:(Please refer to page 24 of the guide for other modes.)
y Accept 0 /var/ace /opt y
- Save the configuration file, can use the name 'installscript.conf' and transfer it to the directory of the PAM agent installation directory .
- To install the PAM Agent with the Silent Installation method on multiple servers with identical configuration information execute below command:
./install_pam.sh -s < installscript.conf
#Make sure installscript.conf file was created as mentioned in step 9A and located inside untar PAM installation file directory.
9 B. To install a PAM agent on single server
- Use below command from untar PAM installation file directory:
./install_pam.sh
- Accept the License Terms and Conditions.
- Choose an RSA SecurID Authentication Mode (0 for RSA Authentication Manager with the UDP Protocol).
- Enter the directory where the sdconf.rec file is located (/var/ace).
- Enter the root path for the RSA Authentication Agent for PAM directory (/opt).
- After successfully completing the PAM agent installation on the Solaris server, perform test authentication through acetest utility. Acetest utility helps to verify communication between the PAM agent and RSA Authentication Manager and to perform a test authentication.
Authentication utilities are located in the following directories:
32-bit operating system: pam agent installation directory/bin/32bit
64-bit operating system: pam agent installation directory/bin/64bit
The PAM agent authentication test requires a username and passcode (PIN + soft token code).
# cd /opt/pam/bin/64bit # ./acetest Enter USERNAME: <username> Enter PASSCODE: <PIN + token> Authentication Successful
Upon successful authentication, a message stating 'Authentication Successful' should appear, which indicates that the user credentials are correct, and the agent is configured and communicating correctly with the Authentication Manager.
If authentication fails, it is recommended to check the real-time authentication monitor on the Security Console to troubleshoot and resolve the issue.
If authentication fails, it is recommended to check the real-time authentication monitor on the Security Console to troubleshoot and resolve the issue.
Step 11:
Take backup of /etc/sd_pam.conf and /etc/pam.conf files before configuring MFA for challenged users on SSH service.
cp /etc/sd_pam.conf /etc/sd_pam.conf-$(date +%d-%b).bak cp /etc/pam.conf /etc/pam.conf-$(date +%d-%b).bak
Step 12:
Open the pam.conf file and go to the Authentication Management section. Comment the following lines if they exist:
#sshd-kbdint auth requisite pam_authtok_get.so.1 #sshd-kbdint auth required pam_dhkeys.so.1 #sshd-kbdint auth required pam_unix_cred.so.1 #sshd-kbdint auth required pam_unix_auth.so.1
12 A. If environment is configured to handle both challenged SecurID users authentication and Internal Linux users authentication add below value:
sshd-kbdint auth required pam_securid.so
Note : "pam_securid.so" module cannot handle Active Directory users authentication.
12 B. Unchallenged Active Directory users fail to authenticate with RSA Authentication Agent for PAM:
KB : https://community.rsa.com/t5/securid-knowledge-base/unchallenged-active-directory-users-fail-to-authenticate-with/ta-p/2143
12 B. Unchallenged Active Directory users fail to authenticate with RSA Authentication Agent for PAM:
KB : https://community.rsa.com/t5/securid-knowledge-base/unchallenged-active-directory-users-fail-to-authenticate-with/ta-p/2143
12 C. Enable Linux password authentication along with RSA Authentication Agent for PAM
KB : https://community.rsa.com/t5/securid-knowledge-base/enable-linux-password-authentication-along-with-rsa/ta-p/2145
KB : https://community.rsa.com/t5/securid-knowledge-base/enable-linux-password-authentication-along-with-rsa/ta-p/2145
Save the changes.
Step 13:
Change the values in the sd_pam.conf file located in /etc directory to enable MFA and challenge users or exclude users.
# vi /etc/sd_pam.conf # ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support # default value is 0 ENABLE_USERS_SUPPORT=1 #1 to enable and 0 to disable MFA PAM agent users’ support. # INCL_EXCL_USERS :: 0 exclude users from securid authentication # :: 1 include users for securid authentication # default value is 0 INCL_EXCL_USERS=1 #0 to exclude users for MFA authentication and 1 to challenge users for MFA authentication. # LIST_OF_USERS :: a list of users to include or exclude from SecurID Authentication...Example: LIST_OF_USERS=user1:user2:rsatest: #Enter usersID which needs to be challenged or excluded during logging in.Save changes and restart the sshd services with command "svcadm restart network/ssh".
WARNING: DO NOT CLOSE THE root Session WINDOW UNTIL YOU’VE CONFIRMED THAT AUTHENTICATION IS WORKING PROPERLY FOR CHALLENGED AND EXCLUDED USERS.
While having current root session window still open, open a separate SSH client, login to the host where Authentication Agent installed, and PAM module is configured. The login should prompt for PASSCODE after username is entered. By following the above steps, you can successfully configure multi-factor authentication on a Solaris server using the RSA SecurID Access PAM agent.
Related Articles
How to install and configure the SecurID PAM 8.1.3 agent on Ubuntu 18.04 Number of Views Does RSA PAM Agent support SELinux? Number of Views RSA MFA Agent 9.0 for PAM Release Notes Number of Views RSA MFA Agent 9.0 for PAM - Installation and Configuration Guide for Oracle and RHEL (Japanese) Number of Views RSA MFA Agent 9.0 for PAM - Installation and Configuration Guide for Solaris Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
