An administrator is required to have root privileges at the command line of the Red Hat Enterprise Linux 6.8 server and must be familiar with Linux commands to navigate the Linux directory structure, to make changes to files and update file and folder permissions.

Using the methodology provided in the RSA Authentication Agent 8.0 for PAM Installation and Configuration Guide for configuring PAM components the /etc/pam.d/gnome-screensaver is updated and the change is shown below in bold. Existing auth lines are commented out with a hash and a new line for the pam_securid, so library is inserted after the first comment line.

[root@rhel68 ~]# cat /etc/pam.d/gnome-screensaver
#%PAM-1.0
auth required pam_securid.so
# Fedora Core
#auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
session    include      system-auth
#auth       include     system-auth
#auth       optional     pam_gnome_keyring.so
account    include      system-auth
password   include      system-auth

# SuSE/Novell
#auth       include      common-auth
#auth       optional     pam_gnome_keyring.so
#account    include      common-account
#password   include      common-password
#session    include      common-session
[root@rhel68 ~]#

After the change to /etc/pam.d/gnome-screensaver the <user> will see the GNOME screensaver flicker and not prompt for a password or passcode and the /var/log/messages file will report an error:

Nov 15 14:07:42 rhel68 gnome-screensaver-dialog: PAM adding faulty module: /lib64/security/pam_securid.so
Nov 15 14:07:42 rhel68 gnome-screensaver-dialog: PAM unable to dlopen(/lib64/security/pam_securid.so): /var/ace/lib/64bit/libpamrest.so: cannot open shared object file: Permission denied

The <user> requires access to the /var/ace/lib/64bit/libpamrest.so library. 

Where the <user> does have read access to /var/ace/lib/64bit/libpamrest.so the <user> will get prompted to enter a passcode. After entering a valid passcode a message ‘Checking’ appears for a period of time and then the <user> is returned back to the passcode prompt. Looking at the real-time authentication activity monitor during authentication the message “Node secret mismatch: cleared on the agent but not on server” was seen, however the RSA Authentication Agent for PAM already had a SecurID (node secret) file in /var/ace but with 400 permissions. Changing the permissions of SecurID to 444 will allow the GNOME screensaver, on behalf of the <user>, to access the node secret file and after successful authentication, the <user> was returned back to the desktop.

Below are the file and folder permissions found to get the GNOME screensaver to work with RSA Authentication Agent 8.0 for PAM:

[root@rhel68 var]# ls -lR ace
ace:
total 28
drw-r----- 2 root root 4096 Nov 15 13:33 conf
drwxr-xr-x 3 root root 4096 Nov 15 13:33 lib
drw-r----- 2 root root 4096 Nov 15 13:33 log
-rw-r--r-- 1 root root 2778 Nov 15 13:32 sdconf.rec
-rw-r--r-- 1 root root   23 Nov 15 13:33 sdopts.rec
-rw-r--r-- 1 root root 2434 Nov 15 14:23 sdstatus.1
-r--r--r-- 1 root root  512 Nov 15 13:38 securid

ace/conf:
total 16
-rwxr-xr-x 1 root root  929 Nov 15 13:33 log.properties
-rw-r----- 1 root root 2551 Nov 15 13:33 mfa_api.properties
-rwxr-xr-x 1 root root 4137 Nov 15 13:33 mfa_api_template.properties

ace/lib:
total 4
drwxr-xr-x 2 root root 4096 Nov 15 13:33 64bit

ace/lib/64bit:
total 8896
lrwxrwxrwx 1 root root      20 Nov 15 13:33 liblog4cxx.so -> liblog4cxx.so.10.0.0
lrwxrwxrwx 1 root root      20 Nov 15 13:33 liblog4cxx.so.10 -> liblog4cxx.so.10.0.0
-rwxr-xr-x 1 root root 4114107 Nov 15 13:33 liblog4cxx.so.10.0.0
-rwxr-xr-x 1 root root 4989637 Nov 15 13:33 libpamrest.so

ace/log:
total 0
[root@rhel68 var]#