Unable to authenticate with Authentication Agent for PAM for SSH due to SELinux
2 years ago
Originally Published: 2023-05-17
Article Number
000068191
Applies To
RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Agent for PAM
RSA Version/Condition:  8.x
Issue
After installing the Authentication Agent for PAM for SSH, authentication fails in the Authentication Activity Real Time Monitor with a message of "authentication failed."

For the PAM agent to work, SELinux must be disabled.
Tasks
In order to configure the Authentication Agent for PAM to work for RSA, the following tasks must be completed:
  • Properly set options to enable PAM, disable password authentication and set challenge response.
  • Set list of users or groups to challenge.
  • Create Linux users or groups.
  • Disable SELinux.
Resolution
  1. Install the RSA Authentication Agent for PAM .
  2. Confirm that /etc/selinux/targeted/modules was created during the PAM agent install. If not, run mkdir to create it.
  3. On the agent machine, go to /var/ace.
  4. Create a text file named sdopts.rec with a the entry of CLIENT_IP= followed by the IP address of the server on which the PAM agent is installed. For example,
CLIENT_IP=86.76.30.9.
  1. Generate an sdconf.rec from the Security Console (Access > Authentication Agents > Generate Config File). Unzip the file and place the sdconf.rec file in /var/ace.
  2. Ensure that both the sdopts.rec file and the sdconf.rec file are owned by root:root and have the permissions of 644 (owner can read/write, group and world read only):
chown root:root sd*.rec
chmod 644 sd*.rec
  1. Open /etc/ssh/sshd_config.
  2. Set the following parameters and save the changes:
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
  1. Restart sshd:
/bin/systemctl restart sshd.service
  1. Go to /etc/. The entire path must have -rw------- (600) root permission.
chmod 600 etc
  1. Open /etc/sd_pam.conf.
  2. Confirm that the variable for VAR_ACE points to the correct location of the sdconf.rec and sdopts.rec files. 
  3. Set the ENABLE_USERS_SUPPORT parameter to 0 to enforce token authentication.
  4. In this file are two options: LIST_OF_USERS and LIST_OF_GROUPS. Only one can be enabled at a time. If both options are enabled, then  LIST_OF_GROUPS supersedes LIST_OF_USERS. Comment out the option you do not want to use. Create either a list of users or list of groups. Values that you list must be colon separated, as shown:
LIST_OF_USERS=root:arya:catlyn:maergery:yara
or
LIST_OF_GROUPS=braavos:dragonstone:eyrie:oldtown
  1. Set the value for the INCL_EXCL_USERS=1 if using users. Set to 0 for groups.
  2. Save and close the file then restart sshd:
/bin/systemctl restart sshd.service
  1. Make sure that users or groups listed in step 14 are users and/or groups in Linux.
  • To add users, run the useradd command:
sudo useradd arya
  • To add groups, run the groupadd command:
sudo groupadd braavos
  1. If you add groups to Linux, you must populate them with users:
sudo usermod braavos arya
  1. Open /etc/pam.d/sshd in a text editor.
  2. Using a hashtag (#), comment out any lines beginning with auth.
  3. Underneath the lines that were just comented out, add the text auth required pam_securid.so then save and close the file.
  4. Change the following access permissions:
chmod 777 /var/ace
chmod -R 777 *
cd /etc/pam.d
chmod -R 777 *
cd /etc/sd_pam.conf
chmod -R 777
  1. Confirm if SELinux is enabled. 
 sudo sestatus command
  1. Open the SELinux configuration file with a text editor:
vi /etc/sysconfig/selinux
  1. Set SELINUX to disabled:
SELINUX=disabled
  1. Comment out SELINUXTYPE=targeted, as well.
  2. Save and close /etc/sysconfig/selinux.
  3. Reboot the server to have changes take effect.
  4. Test authentication locally with a user from step 14:
ssh arya@localhost
 

Related Articles

Trending Articles

Don't see what you're looking for?