AnsweredAssumed Answered

RSA Securid PAM 8.0 on SUSE Linux 10 with AM8.4

Question asked by Alok Sharma on Mar 27, 2019
Latest reply on Mar 27, 2019 by Alok Sharma

We have a deployed RSA Securid AM 8.4. There are some 40+ SUSE SLES version 10 modes that we are trying too integrate. 

 

We are testing using PAM Agent 8.0. ACETEST succeeds with PASSCODE MFA authentication. However, ssh - using pam_securid.so does not work, and we do not see anything in AM activity monitor. we have modified the sd_pamd.conf and ssd files according to documentation. We already have 20+ RHES nodes working fine.

Susefirewall is disabled.

 

(RSA documentation says SuSE 10 is only supported with PAM 6.0. However, I am not sure if PAM 6.0 will work with AM 8.4)

 

I will really appreciate assistance.

 

sshd file:
#auth include common-auth
#auth required pam_nologin.so
#
#
auth required pam_securid.so
account include common-account
password include common-password
session include common-session
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session optional pam_resmgr.so fake_ttyname
~

 

SD_PAM file

# default value is /var/ace
VAR_ACE=/var/ace

#AGENT_ROOT :: the location where RSA PAM Agent binaries will go
# default value is /opt
AGENT_ROOT=/usr

#OPERATION_MODE :: To enable the agent operating mode choose one of the option.
# :: 0 UDP Protocol
# :: 1 SID REST Service
# :: 2 MFA REST Service
# default value is 0
OPERATION_MODE=0

#RSATRACELEVEL :: To enable logging in UNIX for securid authentication
# :: 0 Disable logging for securid authentication
# :: 1 Logs regular messages for securid authentication
# :: 2 Logs function entry points for securid authentication
# :: 4 Logs function exit points for securid authentication
# :: 8 All logic flow controls use this for securid authentication
# NOTE :: For combinations, add the corresponding values
# default value is 0
RSATRACELEVEL=8
#0

#RSATRACEDEST :: Specify the file path where the logs are to be redirected for securid authentication.
# :: If this is not set, by default the logs go to Error output.
#RSATRACEDEST=/home
RSATRACEDEST=/root/rsa.log

#ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support
# default value is 0
ENABLE_USERS_SUPPORT=1
#0

#INCL_EXCL_USERS :: 0 exclude users from securid authentication
# :: 1 include users for securid authentication
# default value is 0
INCL_EXCL_USERS=1
#0

#LIST_OF_USERS :: a list of users to include or exclude from SecurID Authentication...Example:
LIST_OF_USERS=rsa.security
#:user1:user2

#PAM_IGNORE_SUPPORT_FOR_USERS :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion s
upport
# :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support
# default value is 0
PAM_IGNORE_SUPPORT_FOR_USERS=0

#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
# default value is 0
ENABLE_GROUP_SUPPORT=0

Outcomes