We have a deployed RSA Securid AM 8.4. There are some 40+ SUSE SLES version 10 modes that we are trying too integrate.
We are testing using PAM Agent 8.0. ACETEST succeeds with PASSCODE MFA authentication. However, ssh - using pam_securid.so does not work, and we do not see anything in AM activity monitor. we have modified the sd_pamd.conf and ssd files according to documentation. We already have 20+ RHES nodes working fine.
Susefirewall is disabled.
(RSA documentation says SuSE 10 is only supported with PAM 6.0. However, I am not sure if PAM 6.0 will work with AM 8.4)
I will really appreciate assistance.
sshd file:
#auth include common-auth
#auth required pam_nologin.so
#
#
auth required pam_securid.so
account include common-account
password include common-password
session include common-session
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session optional pam_resmgr.so fake_ttyname
~
SD_PAM file
# default value is /var/ace
VAR_ACE=/var/ace
#AGENT_ROOT :: the location where RSA PAM Agent binaries will go
# default value is /opt
AGENT_ROOT=/usr
#OPERATION_MODE :: To enable the agent operating mode choose one of the option.
# :: 0 UDP Protocol
# :: 1 SID REST Service
# :: 2 MFA REST Service
# default value is 0
OPERATION_MODE=0
#RSATRACELEVEL :: To enable logging in UNIX for securid authentication
# :: 0 Disable logging for securid authentication
# :: 1 Logs regular messages for securid authentication
# :: 2 Logs function entry points for securid authentication
# :: 4 Logs function exit points for securid authentication
# :: 8 All logic flow controls use this for securid authentication
# NOTE :: For combinations, add the corresponding values
# default value is 0
RSATRACELEVEL=8
#0
#RSATRACEDEST :: Specify the file path where the logs are to be redirected for securid authentication.
# :: If this is not set, by default the logs go to Error output.
#RSATRACEDEST=/home
RSATRACEDEST=/root/rsa.log
#ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support
# default value is 0
ENABLE_USERS_SUPPORT=1
#0
#INCL_EXCL_USERS :: 0 exclude users from securid authentication
# :: 1 include users for securid authentication
# default value is 0
INCL_EXCL_USERS=1
#0
#LIST_OF_USERS :: a list of users to include or exclude from SecurID Authentication...Example:
LIST_OF_USERS=rsa.security
#:user1:user2
#PAM_IGNORE_SUPPORT_FOR_USERS :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion s
upport
# :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support
# default value is 0
PAM_IGNORE_SUPPORT_FOR_USERS=0
#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
# default value is 0
ENABLE_GROUP_SUPPORT=0
