RSA SecurID^® Access Discussions

I've gone thru all the steps ( I have gotten it to work on RHEL7) but I'm not sure about the what to do in /etc/pam.d/sshd.

I commented out the first line and added in the 3rd line. If I leave it like that, it will prompt for a password then let me in without being prompted for RSA. If I comment out the 2nd line, it prompts for RSA only, then lets me in without a password.

Not sure what to do from here.

This is /etc/pam.d/sshd from RHEL 6.10

#%PAM-1.0

##auth required pam_sepermit.so # Commented out by MY

auth include password-auth ## If this line is commented out, no password prompt -MY

auth required pam_securid.so # Added by MY

account required pam_nologin.so

account include password-auth

password include password-auth

1. pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

1. pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session required pam_namespace.so

session optional pam_keyinit.so force revoke

session include password-auth

MY

In the first scenario, since the uncommented "auth       include      password-auth" line occurs before the "pam_securid.so" line, then it will just prompt for a password and give you access using just a password and without an RSA login prompt for a passcode.  On a system here, we have those first two lines in your sshd file commented out, and just have the "pam_securid.so" line uncommented.  In that setup, we ssh in using the RSA prompt login and passcode and no additional password prompt occurs.  But, it sounds like you don't require a password to login in either event; you get access without a password.  So, now I am wondering how you have your /etc/ssh/sshd_config file setup, or,  perhaps, if a trust/key is involved allowing you in without a password needed.