This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
NishanthShaga
Beginner
Beginner
‎2019-11-04 11:34 PM

How to enable UNIX Password and Passcode?

Jump to solution

We are trying to lock down Linux server using RSA SecurID. Installed RSA Agent and test authentication is working. When we enable auth required pam_secureid.so in sshd file, it is prompting only for UNIX Password. 

If we disable other auth and enable only pam_secureid.so then it is prompting only for passcode without UNIX password. 

Can we enable both UNIX Password and Passcode for authentication? If yes, how can we achieve this configuration?

Reply
1 Solution

Accepted Solutions
SrirangaPrasan1
Employee
Employee
‎2019-11-05 05:21 AM

Jump to solution

Hi Nishanth,

 

If the user is a local user then the pam_securid module cannot password authenticate the user.So we would need a authentication method such as pam_unix that can password authenticate local users

 

If the users are are not local then the pam_unix module cannot password authenticate the user example -  LDAP users.
Therefore we would need another module such as pam_sss to deal with password authenticating these non-local users(LDAP users).

 

You can try using below auth methods and comment the rest of auth methods in the /etc/pam.d/sshd files
auth required pam_securid.so
auth substack password-auth

Where the user is first challenged for RSA authentication and then prompted for password authentication based on stacking defined in substack "password-auth"

 

-Sri

View solution in original post

Reply
3 Replies
SrirangaPrasan1
Employee
Employee
‎2019-11-05 05:21 AM

Jump to solution

Hi Nishanth,

 

If the user is a local user then the pam_securid module cannot password authenticate the user.So we would need a authentication method such as pam_unix that can password authenticate local users

 

If the users are are not local then the pam_unix module cannot password authenticate the user example -  LDAP users.
Therefore we would need another module such as pam_sss to deal with password authenticating these non-local users(LDAP users).

 

You can try using below auth methods and comment the rest of auth methods in the /etc/pam.d/sshd files
auth required pam_securid.so
auth substack password-auth

Where the user is first challenged for RSA authentication and then prompted for password authentication based on stacking defined in substack "password-auth"

 

-Sri

Reply
NishanthShaga
Beginner
Beginner
In response to SrirangaPrasan1
‎2019-11-05 08:28 AM

Jump to solution

It worked!!!  

 

We tried to lockdown windows 2016 server as well using RSA SecurID Agent. It works but prompts for AD Password twice. 

 

  1. When we RDP, it prompts for AD User ID and Password. 
  2. RSA SecurID Passcode.
  3. After successful authentication, again it prompts for AD Password. 

 

Any reason why it is prompting for AD Password twice... can we configure to prompt for AD Password only once?

 

RSA Agent Version : 7.4.3

0 Likes
Reply
SrirangaPrasan1
Employee
Employee
In response to NishanthShaga
‎2019-11-05 08:40 AM

Jump to solution

Kindly refer to below articles to achieve the use case of having to enter the windows password only once during the authentication

Replace Users' Windows Password with an RSA SecurID Passcode 

RSA Authentication Agent 7.4 for Microsoft Windows Installation and Administration Guide - Refer topic - Integration of Windows Passwords in the RSA SecurID Logon Process from page 11 onwards

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.