Server Preparation:
1- Download the PAM agent
ayman@ubuntu:~$ wget -P $HOME/<URL of the PAM agent>
2- Create the configuration directory:
ayman@ubuntu:~$ sudo mkdir /var/ace
ayman@ubuntu:~$ sudo chmod 0700 /var/ace
3- Copy the configuration file to /var/ace:
ayman@ubuntu:~$ sudo mv $HOME/sdconf.rec.txt /var/ace/sdconf.rec
4- Create the sdopts.rec file:
ayman@ubuntu:~$ sudo echo “CLIENT_IP=192.168.XXX.XXX” > /var/ace/sdopts.rec
Where Client_IP is the IP of the Ubuntu server
Install PAM Agent:
1- Untar the download file
ayman@ubuntu:~$ tar -xf $HOME/downloads/PAM-Agent_v7.1.0.1.16.05_06_13_02_04_01.tar
ayman@ubuntu:~$ chown -R root:root PAM-Agent_v7.1.0.1.16.05_06_13_02_04_01
2- Install the agent:
ayman@ubuntu:~$ cd PAM-Agent_v8.1.3.139.04_19_21_01_39_13/
ayman@ubuntu:~$ ./install_pam.sh
....
Output Omitted
....
Do you accept the License Terms and Conditions stated above? (Accept/Decline) [D] : A
your answer: A
checking..... /opt/pam
Directory /opt/pam doesn't exist
Proceeding with a new installation....
-----------------------------------------
Choose an RSA SecurID Authentication Mode
-----------------------------------------
0) RSA Authentication Manager with the UDP Protocol
1) RSA Authentication Manager with the REST Protocol
2) Cloud Authentication Service with the REST Protocol
Select which operation mode you would like to configure for authentication [0/1/2] : 0
your answer: 0
You have selected the UDP Protocol for authentication.
Enter Directory where sdconf.rec is located [/var/ace] :
your answer:
use default: /var/ace
Please enter the root path for the RSA Authentication Agent for PAM directory [/opt] :
your answer:
use default: /opt
The RSA Authentication Agent for PAM 8.1.3 [139] will be installed in the /opt directory.
pam/
pam/conf/
pam/conf/mfa_api_template.properties
pam/conf/log.properties
pam/lib/
pam/lib/32bit/
pam/lib/32bit/libpamrest32.so
pam/lib/32bit/liblog4cxx.so.10.0.0
pam/lib/32bit/pam_securid.so
pam/lib/64bit/
pam/lib/64bit/liblog4cxx.so.10.0.0
pam/lib/64bit/libpamrest.so
pam/lib/64bit/pam_securid.so
pam/bin/
pam/bin/32bit/
pam/bin/32bit/acetest
pam/bin/32bit/ns_conv_util
pam/bin/32bit/acestatus
pam/bin/64bit/
pam/bin/64bit/acetest
pam/bin/64bit/ns_conv_util
pam/bin/64bit/acestatus
Checking /etc/sd_pam.conf:
VAR_ACE does not exist - entry will be appended
AGENT_ROOT does not exist - entry will be appended
OPERATION_MODE does not exist - entry will be appended
RSATRACELEVEL does not exist - entry will be appended
RSATRACEDEST does not exist - entry will be appended
ENABLE_USERS_SUPPORT does not exist - entry will be appended
INCL_EXCL_USERS does not exist - entry will be appended
LIST_OF_USERS does not exist - entry will be appended
PAM_IGNORE_SUPPORT_FOR_USERS does not exist - entry will be appended
ENABLE_GROUP_SUPPORT does not exist - entry will be appended
INCL_EXCL_GROUPS does not exist - entry will be appended
LIST_OF_GROUPS does not exist - entry will be appended
PAM_IGNORE_SUPPORT does not exist - entry will be appended
CHALLENGE_IGNORE_CASE does not exist - entry will be appended
AUTH_CHALLENGE_USERNAME_STR does not exist - entry will be appended
AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSCODE_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSWORD_STR does not exist - entry will be appended
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS does not exist - entry will be appended
Checking /var/ace/conf/mfa_api.properties:
REST_URL does not exist - entry will be appended
CLIENT_KEY does not exist - entry will be appended
CA_CERT_FILE_PATH does not exist - entry will be appended
CLIENT_ID does not exist - entry will be appended
CONNECT_TIMEOUT does not exist - entry will be appended
READ_TIMEOUT does not exist - entry will be appended
MAX_RETRIES does not exist - entry will be appended
*****************************************************************************
* You have successfully installed RSA Authentication Agent 8.1.3 [139] for PAM
*****************************************************************************
Configure the SSH service:
1- Check the configuration of the SSH service to be as follow:
ayman@ubuntu:~$ cat /etc/ssh/sshd_config | egrep "UsePAM|PasswordAuthentication|PasswordAuthentication" | grep -v "#"
PasswordAuthentication no
UsePAM yes
PasswordAuthentication yes
2- Configure the /etc/pam.d/sshd
ayman@ubuntu:~$ cp /etc/pam.d/sshd /etc/pam.d/sshd.orig
ayman@ubuntu:~$ vi /etc/pam.d/sshd
# @include common-auth >> Hash this line
auth required pam_securid.so # Add the following line
3- Restart SSH service
ayman@ubuntu:~$systemctl restart sshd
4- Follow the steps in the KB 000031069 to configure the challenged users
https://community.rsa.com/t5/rsa-securid-access-knowledge/enable-linux-password-authentication-along-with-rsa/ta-p/2145