How to stack a Unix authentication followed by SecurID prompt with the RSA Authentication Agent for PAM for SSH and Telnet logins.
Originally Published: 2013-03-28
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 7, 6, 5
Platform: Red Hat Enterprise Linux
O/S Version: 32-bit and 64-bit RHEL 6, 5, 4
Issue
Resolution
Make a backup of the configuration file you are editing before making modifications to any PAM configuration files.
On Linux, the location of the PAM configuration files is /etc/pam.d.
The following sshd will prompt users who ssh to a Unix machine first for a password, then prompt for a two factor SecurID authentication:
#%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_securid.so auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so
If you are not receiving a passcode prompt for the second authentication prompt, check the /etc/ssh/sshd_config file and ensure the ChallengeResponseAuthentication parameter is set to yes, as in the example below:
ChallengeResponseAuthentication yes
If it is not set to yes, make the change and then restart ssh as root:
service sshd restart
The following remote file will prompt users who telnet to a Unix machine first for a password, then prompt for a two factor SecurID authentication:
#%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so auth required pam_securid.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_stack.so service=system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should be the last session rule session required pam_selinux.so open
Notes
Each protocol (sshd, rlogin, telnet (also known as "remote"), etc.) has its' own unique file name. This differs from Solaris, which uses a single file /etc/pam.conf, for PAM configuration directives.
Related Articles
Enable Linux password authentication along with RSA Authentication Agent for PAM Number of Views Unexpected error from ACE/Agent API for RSA Authentication Agent for PAM Number of Views Explanation of successful authentication followed by passcode reuse and bad tokencode messages in RSA Authentication Manag… Number of Views Configuring RSA Authentication Agent 7.1 for PAM on SELinux Number of Views Testing the RSA Authentication Agent for PAM Module Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
