RSA Authentication Agent 7.1 for PAM module does not authenticate users however the 'acetest' program is successfully authenticating users.
Administrators can download the attached pam_sidtest zip file which contains two compiled programs for the Red Hat 7 & SUSE 11 operating systems.
Usage:
- Download the pam_sidtest.zip file from this knowledge article.
- Unpack the zip file to extract two pam_sidtest programs (pam_sidtest/64bit/REDHAT/pam_sidtest & pam_sidtest/64bit/SUSE/pam_sidtest).
- Copy the appropriate version of pam_sidtest onto the operating system hosting the RSA Authentication Agent 7.x for PAM software.
NOTE: by default the RSA Authentication Agent for PAM gets installed into the /opt/pam folder by default so pam_sidtest could be copied into /opt/pam/bin/64bit folder which also stores the acestatus, acetest & ns_conv_util applications. Refer to the Troubleshooting section of the RSA Authentication Agent 7.1 for PAM—Installation and Configuration for further information on the usage of these applications.
- Create a file called /etc/pam.d/pam_sidtest and add a single line in this file:
auth required pam_securid.so debug
- Create an environment variable called VAR_ACE that points to the folder where the SecurID configuration files are stored.
Example:
VAR_ACE=/var/ace export VAR_ACE
NOTE: By default SecurID configuration files (
sdconf.rec,
sdopts.rec,
sdstatus.1 &
securid) are located in the
/var/ace folder.
- The SecurID PAM module pam_securid.so uses a configuration file called /etc/sd_pam.conf so make sure this file is configured as per RSA Authentication Agent 7.1 for PAM Installation and Configuration Guide.
Example: this example of /etc/sd_pam.conf will challenge all users with the exception of root and debug has been enabled (RSATRACELEVEL & RSATRACEDEST).
#VAR_ACE :: the location where the sdconf.rec, sdstatus.12 and securid files will go
# default value is /var/ace
VAR_ACE=/var/ace
#RSATRACELEVEL :: To enable logging in UNIX for securid authentication
# :: 0 Disable logging for securid authentication
# :: 1 Logs regular messages for securid authentication
# :: 2 Logs function entry points for securid authentication
# :: 4 Logs function exit points for securid authentication
# :: 8 All logic flow controls use this for securid authentication
# NOTE :: For combinations, add the corresponding values
# default value is 0
RSATRACELEVEL=8
#RSATRACEDEST :: Specify the file path where the logs are to be redirected for securid authentication.
# :: If this is not set, by default the logs go to Error output.
RSATRACEDEST=/tmp/PAMdebug.log
#ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support
# default value is 0
ENABLE_USERS_SUPPORT=1
#INCL_EXCL_USERS :: 0 exclude users from securid authentication
# :: 1 include users for securid authentication
# default value is 0
INCL_EXCL_USERS=0
#LIST_OF_USERS :: a list of users to include or exclude from SecurID Authentication...Example:
LIST_OF_USERS=root
#PAM_IGNORE_SUPPORT_FOR_USERS :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion support
# :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support
# default value is 0
PAM_IGNORE_SUPPORT_FOR_USERS=0
#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
# default value is 0
ENABLE_GROUP_SUPPORT=0
#INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid authentication (include)
# :: 0 to never prompt the listed groups for securid authentication (exclude)
# default value is 0
INCL_EXCL_GROUPS=0
#LIST_OF_GROUPS :: a list of groups to include or exclude...Example
LIST_OF_GROUPS=
#PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership
# :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership
# default value is 0
PAM_IGNORE_SUPPORT=0
#AUTH_CHALLENGE_USERNAME_STR :: prompt message to ask user for their username/login id
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
#AUTH_CHALLENGE_RESERVE_REQUEST_STR :: prompt message to ask administrator for their System password
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :
#AUTH_CHALLENGE_PASSCODE_STR :: prompt message to ask user for their Passcode
AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE :
#AUTH_CHALLENGE_PASSWORD_STR :: prompt message to ask user for their Password
AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD :
#BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS :: 0 Disable retry UNIX authentication after failed login attempt
# :: 1 Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay
# :: 2 Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay
# :: 3 Enable retry UNIX authentication after failed login attempt with pow(3, failattempts) sec delay
# :: 4 Enable retry UNIX authentication after failed login attempt with pow(4, failattempts) sec delay
# :: 5/Above Enable retry UNIX authentication after failed login attempt with pow(5/Above, failattempts) sec delay
# :: If no BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS setting is present, then treated as pow(4, failattempts) sec delay
# default value is 4
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS=4
- Use the pam_sidtest program as root to test the RSA Authentication Agent for PAM module.
Examples:
..on SUSU Enteprise Server 11:
suse11sp4:/opt/pam/bin/64bit # ./pam_sidtest
----- READ THIS !!! ----------------
This is program tests the pam_securid module
Make sure that you have a file called /etc/pam.d/pam_sidtest with the following line :
auth required pam_securid.so debug
------------------------------------
Environment variable VAR_ACE points to [/var/ace].
Make sure that sdconf.rec is in that folder and that the folder permissions are at least 0644
Enter USERNAME:rsatest
Enter PASSCODE:
Authenticated
suse11sp4:/opt/pam/bin/64bit #
..on Red Hat 7 server:
[root@redhat7 64bit]# ./pam_sidtest
----- READ THIS !!! ----------------
This is program tests the pam_securid module
Make sure that you have a file called /etc/pam.d/pam_sidtest with the following line :
auth required pam_securid.so debug
------------------------------------
Environment variable VAR_ACE points to [/var/ace].
Make sure that sdconf.rec is in that folder and that the folder permissions are at least 0644
Enter USERNAME:rsatest
Enter PASSCODE:
Authenticated
[root@redhat7 64bit]#
Should the message "pam_authenticate() failed with reason [7]: Authentication failure" appear during authentication testing then check the following:
- Valid credentials have been entered at the prompts.
- An authentication agent record exists for the server hosting the RSA Authentication Agent for PAM. Check in the Security Console > Access > Authentication Agents > Manage Existing.
- Use the real-time authentication monitor to check how the authentication manager deployment is processing the authentication (Security Console > Reporting > Real-time Activity Monitors > Authentication Activity Monitor > click Start Monitor button).
- Review the PAM module debug that was written to /var/log/messages.
RSA Authentication Agent for PAM documentation, technical specifications and links to software can be found at URL
https://community.rsa.com/community/products/securid/authentication-agent-pam