AnsweredAssumed Answered

RSA PAM Agent not returning PAM_AUTHINFO_UNAVAIL when ACE server unreachable

Question asked by Grant Ashton on Nov 20, 2017
Latest reply on Dec 9, 2017 by Grant Ashton

Why does the RSA SecurID PAM Agent not return PAM_AUTHINFO_UNAVAIL (9) when it can't connect the RSA ACE server? Instead it returns PAM_AUTH_ERR which is indistinguishable from a genuine authentication failure.

 

The acetest binary is able to detect this state, however the pam_securid.so library does not return this state.

 

# /opt/pam/bin/64bit/acetest
Cannot communicate with the ACE/Server.

 

# ./rsa_token_check.pl grant.ashton
USERNAME: grant.ashton
Authentication failure (7)

 

Really the pam_securid.so module should return PAM_AUTHINFO_UNAVAIL in this state. So that applications can use this to detect that the authentication service is down and handle this situation. In my situation I need to be able to perform other checks if the ACE server(s) are unreachable.

 

How I would expect it to behave:

# ./rsa_token_check.pl grant.ashton
USERNAME: grant.ashton
Authentication service cannot retrieve authentication info (9)

 

Thanks,

Grant

 

Useful Link: https://linux.die.net/man/3/pam_authenticate

 

Outcomes