SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

multi authentication using AD SSSD and Securid


Am looking for a config that would allow me to logon to a redhat 7 server using SSSD active directory name and password, then be asked for a securid token, we have this working on windows client flawlessly but cant find a working config using the securid and PAM, any suggestions


Cheers in advance

Head embedded in wall

Labels (1)
2 Replies
Moderator Moderator

Hi Ken,

The SecurID Linux PAM Agent works fine along side sssd to provide 2FA/MFA for AD account authentication on Linux. First configure sssd (join the AD Domain using realmd) to get the sssd / AD Authentication working. See RedHat's Windows Integration Guide for information on configuring sssd. Then install the SecurID Access Linux PAM Agent following the RSA SecurID Linux PAM Agent Installation and Configuration Guide for your Linux distribution.


Once both sssd and the SecurID Linux PAM Agent are installed, edit the PAM configuration files (/etc/pam.d) to enable SecurID for the desired services.


You can choose to require AD Username + Password + SecurID Authenticator


auth       substack     password-auth

auth       required



Or AD Username + SecurID Access Authenticator


#auth       substack     password-auth

auth       required



Note: Once sssd is working, the PAM auth setting "password-auth" = AD Password authentication.



I tested this configuration Using Win2016 AD, CentOS 7.5, and the RSA SecurID Linux PAM Agent v8.1. 

Another option if you want token first then ldap stacked....

 you may try the not_set_pass option if you cannot make things work otherwise


auth       required  not_set_pass


not_set_pass =  Don't use the passwords from other stacked modules.


If you are still having issues, debug is:

auth       required debug 




auth       required debug not_set_pass