This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
SimonHall
Beginner
Beginner
‎2018-06-04 05:55 AM

What can be done with the PAM agent for SecureID

My customer has asked me to work against a SecureID RADIUS server. He wants TFA for remote users.

I'm using RHEL 6.8, in command line mode only (no GUI) and I've identified the agent I should use.

I'm just starting to use this site, so forgive me if the answers are out there but atm I've only found generic documentation

I have some questions that are not clear from the documentation:

Can I log in as root locally without needing the server or TFA?

Can I log in as a local user without needing the server or TFA?

Can the local user run applications without needing the server?

Do I need a token to log in locally? What tokens are suitable?

What if the server is not available?

Do remote users need a local account? (documentation seems to say yes, customer doesn't want that)

How are remote users given UID/GID - presumably that is the reason for local account.

How is something like a Nessus scan with credentials undertaken?

0 Likes
Reply
5 Replies
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2018-06-04 08:44 AM

Simon Hall‌,

 

I am sure one  of our engineers will chime in but in the meantime, have a look at the documentation for the RSA Authentication Agent for PAM.  From there you can go to https://community.rsa.com/docs/DOC-86301 which provides an Overview of the RSA SecurID Authentication Agent 8.0 for PAM.

 

Regards,

Erica

0 Likes
Reply
SimonHall
Beginner
Beginner
In response to _EricaChalfin
‎2018-06-04 08:52 AM

Thanks for taking the time Erica. Yes, I've looked at the documentation but it only explains how to set up / configure the agent, not what all the consequences could be of deploying the agent as described.

 

I'll keep looking, but hoped that I could gear off someone's experience and take a shortcut.

 

Regards

 

Simon

0 Likes
Reply
PatrickJohnson
Beginner
Beginner
‎2018-06-05 08:56 AM

I have PAM Agent 7.3 installed, but I would guess that 8.0 would be pretty similar.  When you install the PAM agent, there is an sd_pam.conf file that allows you to decide which groups/users, domain and local, are or are not challenged by RSA.  Further, you can edit your auth files to point to the RSA server or leave to your current auth method.  What we do is challenge domain accounts for ssh, rdp, sudo and all forms of authentication with RSA, except specific accounts, ie - service or root accounts.

Reply
SimonHall
Beginner
Beginner
In response to PatrickJohnson
‎2018-06-06 04:46 AM

Thanks Patrick. I think that should give me enough clues to get the specific installation right and ensure separation of local and remote users.

Still not sure whether I have to create UID/GID for ALL potential remote users even if they will never logon locally. Is this bound up with NIS or LDAP? I'd rather have a standalone host than have to bind it into the customer's network.

0 Likes
Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
In response to PatrickJohnson
‎2018-06-06 10:07 AM

Patrick Johnson‌,

 

Thank you for the assist in answering Simon Hall‌'s question.

 

Regards,

Erica

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.