This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Adding additional operating system accounts to RSA Authentication Manager 8.x

Article Number

000037990

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue

This article provides steps to add additional operating system accounts to RSA Authentication Manager.  Additional operating system accounts allow you to:
  • Track different administrator activity in Linux, and 
  • Provide a separate authenticated SSH account for a vulnerability scan tool; for example, your IT department is requesting SSH access in order to perform and authenticated scan the RSA Authentication Manager appliance.

 

Task

For a user to gain access to Linux, they need three things:
  1. A user ID in /etc/passwd.
  2. Access to SSH.  This will require a restart of sshd.
  3. Access to sudo.  This is optional if you want to prevent root and rsaadmin access via sudo.

Note: This means it is possible to give a scan account for your IT team SSH access without sudo access, by eliminating step 3.  

Resolution

To add an additional user, follow the steps below:
  1. Launch an SSH client, such as PuTTY.
  2. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.

  1. Use sudo su - to gain root access:

login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Wed Sep  4 11:32:58 2019 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am82p:~> sudo su -
rsaadmin's password: <enter operating system password>
am82p:~ #
  1. Add the new user ID in /etc/passwd  and set password for the user ID.  ScanAdmin is used in this example:

am82p:~ # useradd -m ScanAdmin
am82p:~ # passwd ScanAdmin
Changing password for ScanAdmin.
New Password: <enter new password>
Reenter New Password: <reenter new password>
Password changed.
  1. Before continuing, take a backup of /etc/ssh/sshd_config:

am82p:~ # cd /etc/ssh/
am82p:~ # cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bk
  1. Allow access to SSH by ScanAdmin by editing /etc/ssh/sshd_config:

am82p:~ # vi /etc/ssh/sshd_config
  1. Scroll down to the text # Example of overriding settings on a per-user basis.
  2. Press i to enter Insert mode.
  3. Add the newly created ScanAdmin user ID at end of last line, as shown.  Note there is just a space separating the user IDs.

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
AllowUsers rsaadmin ScanAdmin
  1. When done press Escape (Esc) to exit Insert mode.
  2. To save changes and close, type :wq!  To close the file without saving, type :q!
  3. Restart sshd after saving the file changes:

am82p:~ # /sbin/service sshd restart
Shutting down the listening SSH daemon                   done
Checking for missing server keys in /etc/ssh
Starting SSH daemon                                      done
  1.  Optionally, you can allow access to sudo by the ScanAdmin user.  Edit the sudoers file:

visudo -s -f /etc/sudoers
Note that if you use vi, you will have to confirm overwrite when saving.
  1. Scroll down to the bottom of the file and look for #Samples.
  2. Press i to enter Insert mode.
  3. Insert a blank line under the rsaadmin line.
  4. Copy the complete rsaadmin line and paste it below the existing rsaadmin information.  
  5. In the second line, replace rsaadmin with ScanAdmin.

# Samples
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now
rsaadmin ALL = (ALL) ALL, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.sh, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.py
ScanAdmin ALL = (ALL) ALL, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.sh, NOPASSWD: /opt/rsa/am/utils/bin/appliance/*.py
  1. When done press Escape (Esc) to exit Insert mode.
  2. To save changes and close, type :wq!  To close the file without saving, type :q!

Notes

The RSA Authentication Manager appliance does not have a root account that can logon to SSH or the console, it has the rsaadmin operating system account and password created at deployment, and allows root access through sudo with the rsaadmin password.
Was this article helpful? Yes No
100% helpful (1/1)

In this article

Version history
Last update:
‎2021-04-24 12:50 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.