This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Unchallenged Active Directory users fail to authenticate with RSA Authentication Agent for PAM

Article Number

000038366

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM

Issue

When an unchallenged Active Directory user tries to authenticate to a Linux system protected using the RSA Authentication Agent for PAM, they are asked to provide a password. However, after entering the password, authentication fails even though the password is correct.  

Cause

The RSA Authentication Agent for PAM Installation Guide instructs administrators to comment all auth modules in the protected service and keep pam_securid.so as the only available auth module. This is shown in the example below: 
#%PAM-1.0
auth	   required	pam_securid.so
#auth	   required	pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin

That is acceptable if the environment is dealing with internal Linux users, as pam_securid.so can handle both SecurID authentication and Linux authentication. However, when it gets to Active Directory users, pam_securid.so cannot handle Active Directory authentication. 
 

Resolution

The solution would be to add the module that can handle Active Directory authentication. Whether it would be pam_winbind.so, pam_sssd.so or some other module. That would depend on how Active Directory is integrated. After adding the needed module, stack them in a way to achieve the required output. Moreover, you must change the config of PAM to pass non-SecurID authentications to subsequent modules. 

This configuration authenticates the SecurID passcode first then the AD password for challenged users and only the AD password for unchallenged users. In this example, assume that AD integration is using WinBind.

  1. In /etc/sd_pam.conf, change both PAM_IGNORE_SUPPORT_FOR_USERS and PAM_IGNORE_SUPPORT to 1, as shown in bold: 
    #PAM_IGNORE_SUPPORT_FOR_USERS 
#              :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion support
#              :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support
# default value is 0
PAM_IGNORE_SUPPORT_FOR_USERS=1

#PAM_IGNORE_SUPPORT 
#              :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership
#              :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership
# default value is 0
PAM_IGNORE_SUPPORT=1
  2. In the protected module (for example, sshd /etc/pam.d/sshd), change the auth config to be as follows. 
    auth	   required	pam_securid.so	not_set_pass
auth	   required	pam_windbind.so	
#auth	   required	pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin
If you would like SecurID authenticated users not to be asked for their AD password, this can be achieved using PAM complex control values as shown below. However, these advanced control values are not supported on all Linux systems. Check your operating system documentation to know whether it is supported for your version.  
auth	   [success=done ignore=ignore default=die]  pam_securid.so  not_set_pass
auth	   required	pam_windbind.so	
#auth	   required	pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:12 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.