This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

How to install and configure the SecurID PAM 8.1.3 agent on Ubuntu 18.04

Article Number

000064679

Applies To

Ubuntu 18.04 bionic
PAM Agent 8.1.3

Issue

Install and Configure PAM agent 8.1.3 on Ubuntu 18.04

Resolution

Server Preparation:

1- Download the PAM agent 

ayman@ubuntu:~$ wget -P $HOME/<URL of the PAM agent>

2- Create the configuration directory: 

ayman@ubuntu:~$  sudo mkdir /var/ace
ayman@ubuntu:~$  sudo chmod 0700 /var/ace

3- Copy the configuration file to /var/ace: 

ayman@ubuntu:~$ sudo mv $HOME/sdconf.rec.txt /var/ace/sdconf.rec

4- Create the sdopts.rec file: 

ayman@ubuntu:~$ sudo echo “CLIENT_IP=192.168.XXX.XXX” > /var/ace/sdopts.rec
Where Client_IP is the IP of the Ubuntu server

Install PAM Agent:

1- Untar the download file 

ayman@ubuntu:~$ tar -xf $HOME/downloads/PAM-Agent_v7.1.0.1.16.05_06_13_02_04_01.tar
ayman@ubuntu:~$ chown -R root:root PAM-Agent_v7.1.0.1.16.05_06_13_02_04_01
2- Install the agent: 

ayman@ubuntu:~$ cd PAM-Agent_v8.1.3.139.04_19_21_01_39_13/
ayman@ubuntu:~$ ./install_pam.sh
....
Output Omitted
....
Do you accept the License Terms and Conditions stated above? (Accept/Decline) [D] : A

your answer: A

checking..... /opt/pam
Directory /opt/pam doesn't exist
Proceeding with a new installation....

-----------------------------------------
Choose an RSA SecurID Authentication Mode
-----------------------------------------
0) RSA Authentication Manager with the UDP Protocol
1) RSA Authentication Manager with the REST Protocol
2) Cloud Authentication Service with the REST Protocol

Select which operation mode you would like to configure for authentication [0/1/2] : 0

your answer: 0

You have selected the UDP Protocol for authentication.

Enter Directory where sdconf.rec is located [/var/ace] :

your answer:
use default: /var/ace


Please enter the root path for the RSA Authentication Agent for PAM directory [/opt] :

your answer:
use default: /opt

The RSA Authentication Agent for PAM 8.1.3 [139] will be installed in the /opt directory.
pam/
pam/conf/
pam/conf/mfa_api_template.properties
pam/conf/log.properties
pam/lib/
pam/lib/32bit/
pam/lib/32bit/libpamrest32.so
pam/lib/32bit/liblog4cxx.so.10.0.0
pam/lib/32bit/pam_securid.so
pam/lib/64bit/
pam/lib/64bit/liblog4cxx.so.10.0.0
pam/lib/64bit/libpamrest.so
pam/lib/64bit/pam_securid.so
pam/bin/
pam/bin/32bit/
pam/bin/32bit/acetest
pam/bin/32bit/ns_conv_util
pam/bin/32bit/acestatus
pam/bin/64bit/
pam/bin/64bit/acetest
pam/bin/64bit/ns_conv_util
pam/bin/64bit/acestatus

Checking /etc/sd_pam.conf:

VAR_ACE does not exist - entry will be appended
AGENT_ROOT does not exist - entry will be appended
OPERATION_MODE does not exist - entry will be appended
RSATRACELEVEL does not exist - entry will be appended
RSATRACEDEST does not exist - entry will be appended
ENABLE_USERS_SUPPORT does not exist - entry will be appended
INCL_EXCL_USERS does not exist - entry will be appended
LIST_OF_USERS does not exist - entry will be appended
PAM_IGNORE_SUPPORT_FOR_USERS does not exist - entry will be appended
ENABLE_GROUP_SUPPORT does not exist - entry will be appended
INCL_EXCL_GROUPS does not exist - entry will be appended
LIST_OF_GROUPS does not exist - entry will be appended
PAM_IGNORE_SUPPORT does not exist - entry will be appended
CHALLENGE_IGNORE_CASE does not exist - entry will be appended
AUTH_CHALLENGE_USERNAME_STR does not exist - entry will be appended
AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSCODE_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSWORD_STR does not exist - entry will be appended
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS does not exist - entry will be appended

Checking /var/ace/conf/mfa_api.properties:

REST_URL does not exist - entry will be appended
CLIENT_KEY does not exist - entry will be appended
CA_CERT_FILE_PATH does not exist - entry will be appended
CLIENT_ID does not exist - entry will be appended
CONNECT_TIMEOUT does not exist - entry will be appended
READ_TIMEOUT does not exist - entry will be appended
MAX_RETRIES does not exist - entry will be appended

*****************************************************************************
* You have successfully installed RSA Authentication Agent 8.1.3 [139] for PAM
*****************************************************************************


Configure the SSH service:

1- Check the configuration of the SSH service to be as follow: 

ayman@ubuntu:~$ cat /etc/ssh/sshd_config | egrep "UsePAM|PasswordAuthentication|PasswordAuthentication" | grep -v "#"
PasswordAuthentication no
UsePAM yes
PasswordAuthentication yes

2- Configure the /etc/pam.d/sshd 

ayman@ubuntu:~$ cp /etc/pam.d/sshd /etc/pam.d/sshd.orig
ayman@ubuntu:~$ vi /etc/pam.d/sshd
# @include common-auth >> Hash this line
auth       required    pam_securid.so   # Add the following line

3- Restart SSH service 

ayman@ubuntu:~$systemctl restart sshd

4- Follow the steps in the KB 000031069 to configure the challenged users 
 
https://community.rsa.com/t5/rsa-securid-access-knowledge/enable-linux-password-authentication-along-with-rsa/ta-p/2145
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-08-30 01:49 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.