SecurID^® Knowledge Base

Yes

Article Number

000035327

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 7.1
Platform: Linux

Issue

An administrator would like to enable SELinux on a machine with the RSA Authentication Agent 7.1 for PAM. SELinux requires certain modules to be installed first, otherwise it will not work after installing the PAM agent.

Cause

The required modules for SELinux are not installed prior to installing the RSA Authentication Agent 7.1 for PAM.

Resolution

Install the following modules on the machine prior to installing the Authentication Agent for PAM.

Install the RSA prerequisites:

selinux-policy-devel.rpm
noarchpolicycoreutils-devel.rpm

sudo yum install selinux-policy-devel*.noarch policycoreutils-devel*

Create the /opt/rsa directory.

mkdir /opt/rsa

Create a text file called /opt/rsa/sdopts.rec with the following content:

CLIENT_IP=<IP address of the server on which you are installing the PAM agent>

Ensure that both the new sdopts.rec file and the sdconf.rec file are owned by root:root and have the permissions of 644 (owner can read/write, group and world read only):

chown root:root /opt/rsa/sdopts.rec
chmod 644 /opt/rsa/sdopts.rec
chownr root:root /opt/rsa/sdconf.rec
chmod 600 /opt/rsa/sdconf.rec

Make a backup copy of /etc/ssh/sshd_config file

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.old

Update the /etc/ssh/sshd_config file to include the following values:

UsePam yes
PasswordAuthentication no
UsePrivilegeSeparation no
ChallengeResponseAuthentication yes
PublicKeyAuthentication no

Untar the PAM-Agent tar ball in to any local directory.

tar -xvf <filename>.tar

Execute the install_pam.sh shell script located in the PAM-Agent directory created from unpacking the tar ball. Make sure to supply the correct path the sdconf.rec (/opt/rsa), otherwise you will use the default responses for all questions asked during the install.

/<filename>/install_pam.sh

Update the /etc/sd_pam.conf file such that the VAR_ACE variable points to the correct location of the sdconf.rec file located in /opt/rsa.
Update the /etc/pam.d/sshd file as follows:
1. Comment out ALL lines containing "auth"
2. Add the following line to the bottom of the file:

auth  required     pam_securid.so

Restart sshd. As root,

/usr/sbin/sshd restart

Test authentication by executing /opt/pam/bin/64bit/acetest.
Test SSH authentication from a remote host.

Notes

The following is the output from the install_pam.sh from the point that the EULA is accepted:


Do you accept the License Terms and Conditions stated above? (Accept/Decline) [D]A

Enter Directory where sdconf.rec is located [/var/ace]/opt/rsa

Please enter the root path for the RSA Authentication Agent for PAM directory [/opt]

The RSA Authentication Agent for PAM 7.1 will be installed in the /opt directory.

pam/
pam/doc/
pam/doc/auth_agent_PAM_RHEL.pdf
pam/doc/auth_agent_PAM_SUSE.pdf
pam/bin/
pam/bin/64bit/
pam/bin/64bit/acestatus
pam/bin/64bit/acetest
pam/bin/64bit/ns_conv_util
pam/bin/32bit/
pam/bin/32bit/ns_conv_util
pam/bin/32bit/acestatus
pam/bin/32bit/acetest
pam/lib/
pam/lib/64bit/
pam/lib/64bit/pam_securid.so
pam/lib/32bit/
pam/lib/32bit/pam_securid.so

**********************************************************************

*         Adding label for pam_securid.so                            *

ValueError: File spec /lib64/security//pam_securid.so conflicts with equivalency rule '/lib64 /usr/lib'; 
Try adding '/usr/lib/security//pam_securid.so' instead

*         Adding label for /opt/rsa directory                        *

*         Creating rsapolicy.pp policy file                          *

Compiling targeted rsapolicy module

/usr/bin/checkmodule:  loading policy configuration from tmp/rsapolicy.tmp

/usr/bin/checkmodule:  Module name local is different than the output base filename rsapolicy

make: *** [tmp/rsapolicy.mod] Error 1

libsemanage.map_file: Unable to open rsapolicy.pp

(No such file or directory).

libsemanage.semanage_direct_install_file: Unable to read file rsapolicy.pp

(No such file or directory).

semodule:  Failed on textrel_shlib_t.pp!

**********************************************************************

Checking /etc/sd_pam.conf:

VAR_ACE does not exist - entry will be appended

RSATRACELEVEL does not exist - entry will be appended

RSATRACEDEST does not exist - entry will be appended

ENABLE_USERS_SUPPORT does not exist - entry will be appended

INCL_EXCL_USERS does not exist - entry will be appended

LIST_OF_USERS does not exist - entry will be appended

PAM_IGNORE_SUPPORT_FOR_USERS does not exist - entry will be appended

ENABLE_GROUP_SUPPORT does not exist - entry will be appended

INCL_EXCL_GROUPS does not exist - entry will be appended

LIST_OF_GROUPS does not exist - entry will be appended

PAM_IGNORE_SUPPORT does not exist - entry will be appended

AUTH_CHALLENGE_USERNAME_STR does not exist - entry will be appended

AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist - entry will be appended

AUTH_CHALLENGE_PASSCODE_STR does not exist - entry will be appended

AUTH_CHALLENGE_PASSWORD_STR does not exist - entry will be appended

BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS does not exist - entry will be appended

SecurID^® Knowledge Base

Configuring RSA Authentication Agent 7.1 for PAM on SELinux

Article Number

Applies To

Issue

Cause

Resolution

Notes

In this article

SecurID® Knowledge Base

Configuring RSA Authentication Agent 7.1 for PAM on SELinux

Article Number

Applies To

Issue

Cause

Resolution

Notes

In this article

Related Content

SecurID^® Knowledge Base