AnsweredAssumed Answered

Configuring a RSA AM PAM agent so it does both RSA and AD/Kerberos ssh logins.

Question asked by Michael Folsom on Feb 18, 2020
Latest reply on Feb 19, 2020 by Sriranga Prasanna

Hi!

 

I'm looking for more information about how the latest RSA AM Pam Agent works.

 

My situation is this - I need to configure the RSA AM Pam agent 8.1 so that for most users it does RSA AM authentication but for those that are included in a group declared in /etc/sd_pam.conf and listed in /etc/group I need them to do AD/Kerberos authentication.

 

My question revolves around how to you deal with pam_secureid.so in the pam stack and how to configure sd_pam.conf.  I have done the following in /etc/sd_pam.conf

 

  ENABLED_GROUP_SUPPORT=1

  LIST_OF_GROUPS=ad-users (plus I have created an entry in /etc/group for that user group)

  PAM_IGNORE_SUPPORT=1

 

When I do as suggested - comment out the other auth lines in /etc/pam.d/sshd and add "auth required pam_secureid.so" ssh logins to AD don't work - they did before the agent install and pam changes.

 

Does anybody know of a source of info on this?  I have searched and asked and haven't found much help.

 

Thanks -

 

 

Mike

Outcomes