NOTE: by default the RSA Authentication Agent for PAM gets installed into the /opt/pam folder by default so pam_sidtest could be copied into /opt/pam/bin/64bit folder which also stores the acestatus, acetest & ns_conv_util applications. Refer to the Troubleshooting section of the RSA Authentication Agent 7.1 for PAM—Installation and Configuration for further information on the usage of these applications.

auth required pam_securid.so debug

Example:

VAR_ACE=/var/ace export VAR_ACE

NOTE: By default SecurID configuration files (sdconf.rec, sdopts.rec, sdstatus.1 & securid) are located in the /var/ace folder.

Example: this example of /etc/sd_pam.conf will challenge all users with the exception of root and debug has been enabled (RSATRACELEVEL & RSATRACEDEST).

#VAR_ACE ::  the location where the sdconf.rec, sdstatus.12 and securid files will go
# default value is /var/ace
VAR_ACE=/var/ace


#RSATRACELEVEL :: To enable logging in UNIX for securid authentication
#                   :: 0 Disable logging for securid authentication
#                   :: 1 Logs regular messages for securid authentication
#                   :: 2 Logs function entry points for securid authentication
#                   :: 4 Logs function exit points for securid authentication
#                   :: 8 All logic flow controls use this for securid authentication
# NOTE              :: For combinations, add the corresponding values
# default value is 0
RSATRACELEVEL=8


#RSATRACEDEST :: Specify the file path where the logs are to be redirected for securid authentication.
#                   :: If this is not set, by default the logs go to Error output.
RSATRACEDEST=/tmp/PAMdebug.log


#ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support
# default value is 0
ENABLE_USERS_SUPPORT=1


#INCL_EXCL_USERS :: 0 exclude users from securid authentication
#                   :: 1 include users for  securid authentication
# default value is 0
INCL_EXCL_USERS=0


#LIST_OF_USERS :: a list of users to include or exclude from SecurID Authentication...Example:
LIST_OF_USERS=root


#PAM_IGNORE_SUPPORT_FOR_USERS :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion support
#                   :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support
# default value is 0
PAM_IGNORE_SUPPORT_FOR_USERS=0


#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
# default value is 0
ENABLE_GROUP_SUPPORT=0


#INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid authentication (include)
#                 :: 0 to never prompt the listed groups for securid authentication (exclude)
# default value is 0
INCL_EXCL_GROUPS=0


#LIST_OF_GROUPS :: a list of groups to include or exclude...Example
LIST_OF_GROUPS=


#PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership
#                   :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership
# default value is 0
PAM_IGNORE_SUPPORT=0


#AUTH_CHALLENGE_USERNAME_STR :: prompt message to ask user for their username/login id
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :


#AUTH_CHALLENGE_RESERVE_REQUEST_STR :: prompt message to ask administrator for their System password
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :


#AUTH_CHALLENGE_PASSCODE_STR :: prompt message to ask user for their Passcode
AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE :


#AUTH_CHALLENGE_PASSWORD_STR :: prompt message to ask user for their Password
AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD :


#BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS :: 0  Disable retry UNIX authentication after failed login attempt
#                   :: 1  Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay
#                   :: 2  Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay
#                   :: 3  Enable retry UNIX authentication after failed login attempt with pow(3, failattempts) sec delay
#                   :: 4  Enable retry UNIX authentication after failed login attempt with pow(4, failattempts) sec delay
#                   :: 5/Above  Enable retry UNIX authentication after failed login attempt with pow(5/Above, failattempts) sec delay
#                   :: If no BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS setting is present, then  treated as pow(4, failattempts) sec delay
# default value is 4
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS=4

Examples:

..on SUSU Enteprise Server 11:

suse11sp4:/opt/pam/bin/64bit # ./pam_sidtest

----- READ THIS !!! ----------------
This is program tests the pam_securid module
Make sure that you have a file called /etc/pam.d/pam_sidtest with the following line :
        auth required pam_securid.so debug
------------------------------------

Environment variable VAR_ACE points to [/var/ace].
Make sure that sdconf.rec is in that folder and that the folder permissions are at least 0644

Enter USERNAME:rsatest
Enter PASSCODE:
Authenticated
suse11sp4:/opt/pam/bin/64bit #

..on Red Hat 7 server:

[root@redhat7 64bit]# ./pam_sidtest

----- READ THIS !!! ----------------
This is program tests the pam_securid module
Make sure that you have a file called /etc/pam.d/pam_sidtest with the following line :
        auth required pam_securid.so debug
------------------------------------

Environment variable VAR_ACE points to [/var/ace].
Make sure that sdconf.rec is in that folder and that the folder permissions are at least 0644

Enter USERNAME:rsatest
Enter PASSCODE:
Authenticated
[root@redhat7 64bit]#

Should the message "pam_authenticate() failed with reason [7]: Authentication failure" appear during authentication testing then check the following: