What can be done with the PAM agent for SecureID
My customer has asked me to work against a SecureID RADIUS server. He wants TFA for remote users.
I'm using RHEL 6.8, in command line mode only (no GUI) and I've identified the agent I should use.
I'm just starting to use this site, so forgive me if the answers are out there but atm I've only found generic documentation
I have some questions that are not clear from the documentation:
Can I log in as root locally without needing the server or TFA?
Can I log in as a local user without needing the server or TFA?
Can the local user run applications without needing the server?
Do I need a token to log in locally? What tokens are suitable?
What if the server is not available?
Do remote users need a local account? (documentation seems to say yes, customer doesn't want that)
How are remote users given UID/GID - presumably that is the reason for local account.
How is something like a Nessus scan with credentials undertaken?
I am sure one of our engineers will chime in but in the meantime, have a look at the documentation for the RSA Authentication Agent for PAM. From there you can go to https://community.rsa.com/docs/DOC-86301 which provides an Overview of the RSA SecurID Authentication Agent 8.0 for PAM.
Thanks for taking the time Erica. Yes, I've looked at the documentation but it only explains how to set up / configure the agent, not what all the consequences could be of deploying the agent as described.
I'll keep looking, but hoped that I could gear off someone's experience and take a shortcut.
I have PAM Agent 7.3 installed, but I would guess that 8.0 would be pretty similar. When you install the PAM agent, there is an sd_pam.conf file that allows you to decide which groups/users, domain and local, are or are not challenged by RSA. Further, you can edit your auth files to point to the RSA server or leave to your current auth method. What we do is challenge domain accounts for ssh, rdp, sudo and all forms of authentication with RSA, except specific accounts, ie - service or root accounts.
Thanks Patrick. I think that should give me enough clues to get the specific installation right and ensure separation of local and remote users.
Still not sure whether I have to create UID/GID for ALL potential remote users even if they will never logon locally. Is this bound up with NIS or LDAP? I'd rather have a standalone host than have to bind it into the customer's network.