This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
KenSutherland
Beginner
Beginner
‎2018-09-02 03:38 PM

multi authentication using AD SSSD and Securid

Hi,

Am looking for a config that would allow me to logon to a redhat 7 server using SSSD active directory name and password, then be asked for a securid token, we have this working on windows client flawlessly but cant find a working config using the securid and PAM, any suggestions

 

Cheers in advance

Head embedded in wall

Labels (1)
Labels
0 Likes
Reply
2 Replies
AndrewWeadock
Moderator Moderator
Moderator
‎2018-11-09 06:42 PM

Hi Ken,

The SecurID Linux PAM Agent works fine along side sssd to provide 2FA/MFA for AD account authentication on Linux. First configure sssd (join the AD Domain using realmd) to get the sssd / AD Authentication working. See RedHat's Windows Integration Guide for information on configuring sssd. Then install the SecurID Access Linux PAM Agent following the RSA SecurID Linux PAM Agent Installation and Configuration Guide for your Linux distribution.

 

Once both sssd and the SecurID Linux PAM Agent are installed, edit the PAM configuration files (/etc/pam.d) to enable SecurID for the desired services.

   

You can choose to require AD Username + Password + SecurID Authenticator

....

auth       substack     password-auth

auth       required     pam_securid.so

....

 

Or AD Username + SecurID Access Authenticator

....

#auth       substack     password-auth

auth       required     pam_securid.so

....

 

Note: Once sssd is working, the PAM auth setting "password-auth" = AD Password authentication.

 

 

I tested this configuration Using Win2016 AD, CentOS 7.5, and the RSA SecurID Linux PAM Agent v8.1. 

Reply
EdwardDavis
Employee
Employee
In response to AndrewWeadock
‎2018-11-13 09:26 AM

Another option if you want token first then ldap stacked....

 you may try the not_set_pass option if you cannot make things work otherwise

 

auth       required     pam_securid.so  not_set_pass

 

not_set_pass =  Don't use the passwords from other stacked modules.

 

If you are still having issues, debug is:

auth       required     pam_securid.so debug 

 

or

 

auth       required     pam_securid.so debug not_set_pass

 

 

 

 

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.