Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
Juliobarreto
Contributor
Contributor

Testing Rest API Agents Prior to Production Deploy

Jump to solution

How do I test an Agent running the Rest API to see that it can successfully communicate with the SecureID Authentication Manager. 

0 Likes
1 Solution

Accepted Solutions
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

There's no acetest for REST, though there is an RFE for one.

The work-around is to configure PAM to challenge a single user, and use that account to Test that User and Token.

 

Here are some notes you might try:

 

Find and edit the sshd_config, which may be located either in /etc/ssh/sshd_config or in /usr/local/etc/sshd_config and add the following;

 USEPAM=yes
 PasswordAuthentication no
 ChallengeResponseAuthentication yes

 

Notes: Setting thePasswordAuthentication parameter to no disables OpenSSH password prompt. The PAM agent is used instead. As aresult, the user is prompted for SecurID authentication only.
Restart sshd

 

Edit the /etc/pam.d/sshd file and comment any lines that begin with auth.
Add the line:
  auth required pam_securid.so

The /etc/sd_pam.conf should look something like this for a challenged UserID = UserTest. May need to be local Linux account too.

 AGENT_ROOT=/home/rsaadmin
 OPERATION_MODE=1
 RSATRACELEVEL=0
 RSATRACEDEST=
 ENABLE_USERS_SUPPORT=1
 INCL_EXCL_USERS=1
 LIST_OF_USERS=UserTest
 PAM_IGNORE_SUPPORT_FOR_USERS=0
 ENABLE_GROUP_SUPPORT=0
 INCL_EXCL_GROUPS=0
 LIST_OF_GROUPS=other:wheel:eng:othergroupnames
 PAM_IGNORE_SUPPORT=0
 AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
 AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :
 AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE :
 AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD :
 BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS=4

 

/etc/init.d/sshd restart

 

Linux:~ # more /etc/passwd | grep UserTest
UserTest:x:1006:2000::/home/UserTest:/bin/bash

View solution in original post

3 Replies
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor

There's no acetest for REST, though there is an RFE for one.

The work-around is to configure PAM to challenge a single user, and use that account to Test that User and Token.

 

Here are some notes you might try:

 

Find and edit the sshd_config, which may be located either in /etc/ssh/sshd_config or in /usr/local/etc/sshd_config and add the following;

 USEPAM=yes
 PasswordAuthentication no
 ChallengeResponseAuthentication yes

 

Notes: Setting thePasswordAuthentication parameter to no disables OpenSSH password prompt. The PAM agent is used instead. As aresult, the user is prompted for SecurID authentication only.
Restart sshd

 

Edit the /etc/pam.d/sshd file and comment any lines that begin with auth.
Add the line:
  auth required pam_securid.so

The /etc/sd_pam.conf should look something like this for a challenged UserID = UserTest. May need to be local Linux account too.

 AGENT_ROOT=/home/rsaadmin
 OPERATION_MODE=1
 RSATRACELEVEL=0
 RSATRACEDEST=
 ENABLE_USERS_SUPPORT=1
 INCL_EXCL_USERS=1
 LIST_OF_USERS=UserTest
 PAM_IGNORE_SUPPORT_FOR_USERS=0
 ENABLE_GROUP_SUPPORT=0
 INCL_EXCL_GROUPS=0
 LIST_OF_GROUPS=other:wheel:eng:othergroupnames
 PAM_IGNORE_SUPPORT=0
 AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
 AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :
 AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE :
 AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD :
 BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS=4

 

/etc/init.d/sshd restart

 

Linux:~ # more /etc/passwd | grep UserTest
UserTest:x:1006:2000::/home/UserTest:/bin/bash

Thanks this gave me some added information to follow up on.