AnsweredAssumed Answered

What can be done with the PAM agent for SecureID

Question asked by Simon Hall on Jun 4, 2018
Latest reply on Jun 6, 2018 by Erica Chalfin

Like • Show 0 Likes0
Comment • 5

My customer has asked me to work against a SecureID RADIUS server. He wants TFA for remote users.

I'm using RHEL 6.8, in command line mode only (no GUI) and I've identified the agent I should use.

I'm just starting to use this site, so forgive me if the answers are out there but atm I've only found generic documentation

I have some questions that are not clear from the documentation:

Can I log in as root locally without needing the server or TFA?

Can I log in as a local user without needing the server or TFA?

Can the local user run applications without needing the server?

Do I need a token to log in locally? What tokens are suitable?

What if the server is not available?

Do remote users need a local account? (documentation seems to say yes, customer doesn't want that)

How are remote users given UID/GID - presumably that is the reason for local account.

How is something like a Nessus scan with credentials undertaken?

No one else has this question

Outcomes

Erica Chalfin

Jun 4, 2018 8:44 AM

Simon Hall,

I am sure one of our engineers will chime in but in the meantime, have a look at the documentation for the RSA Authentication Agent for PAM. From there you can go to RSA SecurID Authentication Agent 8.0 for PAM (English) which provides an Overview of the RSA SecurID Authentication Agent 8.0 for PAM.

Regards,

Erica

Actions

Simon Hall @ Erica Chalfin on Jun 4, 2018 8:52 AM

Thanks for taking the time Erica. Yes, I've looked at the documentation but it only explains how to set up / configure the agent, not what all the consequences could be of deploying the agent as described.

I'll keep looking, but hoped that I could gear off someone's experience and take a shortcut.

Regards

Simon

Actions

Patrick Johnson Jun 5, 2018 8:56 AM

I have PAM Agent 7.3 installed, but I would guess that 8.0 would be pretty similar. When you install the PAM agent, there is an sd_pam.conf file that allows you to decide which groups/users, domain and local, are or are not challenged by RSA. Further, you can edit your auth files to point to the RSA server or leave to your current auth method. What we do is challenge domain accounts for ssh, rdp, sudo and all forms of authentication with RSA, except specific accounts, ie - service or root accounts.

Actions

Simon Hall @ Patrick Johnson on Jun 6, 2018 4:46 AM

Thanks Patrick. I think that should give me enough clues to get the specific installation right and ensure separation of local and remote users.

Still not sure whether I have to create UID/GID for ALL potential remote users even if they will never logon locally. Is this bound up with NIS or LDAP? I'd rather have a standalone host than have to bind it into the customer's network.

Actions

Erica Chalfin

@ Patrick Johnson on Jun 6, 2018 10:07 AM

Patrick Johnson,

Thank you for the assist in answering Simon Hall's question.

Regards,

Erica

Actions

5 Replies

Erica Chalfin Jun 4, 2018 8:44 AM
Mark Correct
Correct Answer
Simon Hall,

I am sure one of our engineers will chime in but in the meantime, have a look at the documentation for the RSA Authentication Agent for PAM. From there you can go to RSA SecurID Authentication Agent 8.0 for PAM (English) which provides an Overview of the RSA SecurID Authentication Agent 8.0 for PAM.

Regards,
Erica
Like • Show 0 Likes0
Actions
- Simon Hall @ Erica Chalfin on Jun 4, 2018 8:52 AM
  Mark Correct
  Correct Answer
  Thanks for taking the time Erica. Yes, I've looked at the documentation but it only explains how to set up / configure the agent, not what all the consequences could be of deploying the agent as described.
  
  I'll keep looking, but hoped that I could gear off someone's experience and take a shortcut.
  
  Regards
  
  Simon
  Like • Show 0 Likes0
  Actions
Patrick Johnson Jun 5, 2018 8:56 AM
Mark Correct
Correct Answer
I have PAM Agent 7.3 installed, but I would guess that 8.0 would be pretty similar. When you install the PAM agent, there is an sd_pam.conf file that allows you to decide which groups/users, domain and local, are or are not challenged by RSA. Further, you can edit your auth files to point to the RSA server or leave to your current auth method. What we do is challenge domain accounts for ssh, rdp, sudo and all forms of authentication with RSA, except specific accounts, ie - service or root accounts.
Like • Show 1 Like1
Actions
- Simon Hall @ Patrick Johnson on Jun 6, 2018 4:46 AM
  Mark Correct
  Correct Answer
  Thanks Patrick. I think that should give me enough clues to get the specific installation right and ensure separation of local and remote users.
  Still not sure whether I have to create UID/GID for ALL potential remote users even if they will never logon locally. Is this bound up with NIS or LDAP? I'd rather have a standalone host than have to bind it into the customer's network.
  Like • Show 0 Likes0
  Actions
- Erica Chalfin @ Patrick Johnson on Jun 6, 2018 10:07 AM
  Mark Correct
  Correct Answer
  Patrick Johnson,
  
  Thank you for the assist in answering Simon Hall's question.
  
  Regards,
  Erica
  Like • Show 0 Likes0
  Actions

What can be done with the PAM agent for SecureID

Outcomes

Related Content

Recommended Content