Hi,
Am looking for a config that would allow me to logon to a redhat 7 server using SSSD active directory name and password, then be asked for a securid token, we have this working on windows client flawlessly but cant find a working config using the securid and PAM, any suggestions
Cheers in advance
Head embedded in wall
Another option if you want token first then ldap stacked....
you may try the not_set_pass option if you cannot make things work otherwise
auth required pam_securid.so not_set_pass
not_set_pass = Don't use the passwords from other stacked modules.
If you are still having issues, debug is:
auth required pam_securid.so debug
or
auth required pam_securid.so debug not_set_pass
Hi Ken,
The SecurID Linux PAM Agent works fine along side sssd to provide 2FA/MFA for AD account authentication on Linux. First configure sssd (join the AD Domain using realmd) to get the sssd / AD Authentication working. See RedHat's Windows Integration Guide for information on configuring sssd. Then install the SecurID Access Linux PAM Agent following the RSA SecurID Linux PAM Agent Installation and Configuration Guide for your Linux distribution.
Once both sssd and the SecurID Linux PAM Agent are installed, edit the PAM configuration files (/etc/pam.d) to enable SecurID for the desired services.
You can choose to require AD Username + Password + SecurID Authenticator
....
auth substack password-auth
auth required pam_securid.so
....
Or AD Username + SecurID Access Authenticator
....
#auth substack password-auth
auth required pam_securid.so
....
Note: Once sssd is working, the PAM auth setting "password-auth" = AD Password authentication.
I tested this configuration Using Win2018 AD, CentOS 7.5, and the RSA SecurID Linux PAM Agent v8.1.