RSA Authentication – LINUX
Service has been installed and tested on RedHat 6.9
(Santiago), RedHat 7.3 (Maipo) and CentOS 7.4.
This service allows for two factor authentication using an RSA passcode and
user password.
Installation Pre-requisites:
An account, typically a domain user, will need to be available for access, in the first instance these accounts are manually created. For Example, Joe.Bloggs
Changes must be made to the following files (outlined later), access via root or privileged user:
/etc/ssh/sshd_config
/etc/pam.d/sshd
/etc/sd_pam.conf
The LINUX server IP address MUST be manually added to the
RSA Authentication server.
(In the security console click Access
> Authentication Agents > Add New)
A copy of the RSA Authentication Manager certificate is
required.
(In the security console click Access
> Authentication Agents > Download Server Certificate File)
Generated Configuration File (AM_Config.zip) from the RSA
Security Console.
(In the security console click Access
> Authentication Agents > Generate Configuration File)
UNZIP AM_Config.zip before transfer to server
RSA PAM package (PAM-Agent_v8.0.0.195.11_23_17_04_55_23.tar)
(https://community.rsa.com/community/products/securid/authentication-agent-pam)
Method:
Create /var/ace directory on server host
mkdir /var/ace
Create the Authentication Manager configuration file, sdopts.rec
touch /var/ace/sdopts.rec
Add the server host IP address to the sdopts.rec
CLIENT_IP=x.x.x.x where IP is the IP of the host machine
Copy the server.cer and sdconf.rec files to /var/ace folder
Install two packages to the server to ensure the RSA PAM package will work.
yum install selinux-policy-devel
yum install policycoreutils-python **
**Please note the second package (policycoreutils-python) should be installed as part install process of the first one. This can be verified during the install process of the selinux-policy-devel package.
Install Pam RSA Agent V8.0 (browse to downloaded path, E.G /tmp/)
tar xvf PAM-Agent_v8.0.0.195.11_23_17_04_55_23.tar
cd PAM-Agent_v8.0.0.195.11_23_17_04_55_23
./install_pam.sh
You will now be asked to accept a license agreement. Scroll to the end of the agreement (space bar). Type A to accept. Press <RETURN>. During the install you will be asked a series of question regarding the install path, authentication mode and
- Select which operation mode you would like to
configure for authentication [0/1/2] :
Choose option 0 (RSA Authentication Manager with the UDP Protocol) - Enter Directory where sdconf.rec is located
[/var/ace] :
Press <RETURN> (the sdconf.rec file should be located in the /var/ace folder from previous step) - Please enter the root path for the RSA
Authentication Agent for PAM directory [/opt] :
Press <RETURN>
Once successful the install will output the following:
The RSA Authentication Agent for
PAM 8.0.0 [195] will be installed in the /opt directory.
pam/
pam/conf/
pam/conf/mfa_api_template.properties
pam/conf/log.properties
pam/lib/
pam/lib/32bit/
pam/lib/32bit/libpamrest32.so
pam/lib/32bit/liblog4cxx.so.10.0.0
pam/lib/32bit/pam_securid.so
pam/lib/64bit/
pam/lib/64bit/liblog4cxx.so.10.0.0
pam/lib/64bit/libpamrest.so
pam/lib/64bit/pam_securid.so
pam/bin/
pam/bin/32bit/
pam/bin/32bit/acetest
pam/bin/32bit/ns_conv_util
pam/bin/32bit/acestatus
pam/bin/64bit/
pam/bin/64bit/acetest
pam/bin/64bit/ns_conv_util
pam/bin/64bit/acestatus
Checking /etc/sd_pam.conf:
VAR_ACE does
not exist – entry will be appended
OPERATION_MODE does not exist – entry will be appended
RSATRACELEVEL does not exist – entry will be appended
RSATRACEDEST does not exist – entry will be appended
ENABLE_USERS_SUPPORT does not exist – entry will be appended
INCL_EXCL_USERS does not exist – entry will be appended
LIST_OF_USERS does not exist – entry will be appended
PAM_IGNORE_SUPPORT_FOR_USERS does not exist – entry will be appended
ENABLE_GROUP_SUPPORT does not exist – entry will be appended
INCL_EXCL_GROUPS does not exist – entry will be appended
LIST_OF_GROUPS does not exist – entry will be appended
PAM_IGNORE_SUPPORT does not exist – entry will be appended
AUTH_CHALLENGE_USERNAME_STR does not exist – entry will be appended
AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist – entry will be appended
AUTH_CHALLENGE_PASSCODE_STR
does not exist – entry will be appended
AUTH_CHALLENGE_PASSWORD_STR does not exist – entry will be appended
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS does not exist – entry will be
appended
Checking /var/ace/conf/mfa_api.properties:
REST_URL does
not exist – entry will be appended
CLIENT_KEY does not exist – entry will be appended
CA_CERT_FILE_PATH does not exist – entry will be appended
CLIENT_ID does not exist – entry will be appended
CONNECT_TIMEOUT does not exist – entry will be appended
READ_TIMEOUT does not exist – entry will be appended
MAX_RETRIES does not exist – entry will be appended
*****************************************************************************
* You have successfully installed RSA Authentication Agent 8.0.0 [195] for PAM
*****************************************************************************
**Please note: If SELINUX is enabled the output may include SELINUX related information**
Change /etc/pam.d/sshd
vi /etc/pam.d/sshd
add in the following lines
auth required pam_securid.so
auth required pam_unix.so
Using # rem out other auth required lines (for example)
# auth required pam_sepermit.so
Change the sshd_config file
vi /etc/ssh/sshd_config
Set the following parameters and save the changes:
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
UsePrivilegeSeparation no
**Please note: This file may look different with each version of Linux and also whether SELINUX is enabled **
Change the /etc/sd_pam.conf file
vi /etc/sd_pam.conf
ENABLE_USERS_SUPPORT=1
LIST_OF_USERS=root
PAM_IGNORE_SUPPORT_FOR_USERS=1
PAM_IGNORE_SUPPORT=1
Once you modified the above files restart the SSHD service
REDHAT 6.9 – service sshd restart
REDHAT 7+ – systemctl restart sshd.service
**IMPORTANT NOTICE: DO NOT close the terminal / SSH window! If there is a misconfiguration you could potentially lock yourself out of the system altogether**
Testing:
During the installation, the PAM installer will add the following scripts to /opt/pam/bin/64bit:
./acestatus
./acetest
./ns_conv_util
To test the RSA Authentication module, type:
./acetest
You should be presented with:
Enter USERNAME:
(enter your domain
username, E.G Joe.Bloggs)
Enter PASSCODE:
(using your RSA soft
token enter your PIN and generated CODE)
If all of the details are entered correctly, you should receive the following message
Authentication Successful.
Live Tests:
Once you have achieved a successful test status, open up a new SSH session to
test the two factor authentication.
During this phase you should will be asked to enter your USERNAME : PASSCODE : PASSWORD
You should now have gained access to the required server.
Troubleshooting:
If your testing was unsuccessful please check the following logs
Cat or tail /var/log/secure to view the RSA logs
tail –f /var/log/secure
Review the entries within the log to ensure the details you enter are correct.
If your “live” login fails, the logs within the RSA Security Console can be reviewed using the Authentication Monitor.
Considerations:
Note the entry within the /etc/sd_pam.conf file
LIST_OF_USERS=root
This section allows you to enter system users that shouldn’t require two factor authentication. The above example shows the root user. This is list can contain as many users as necessary (separated with by a colon (:))
For Example:
LIST_OF_USERS=root:nagios:contabuser
Certain system functions may require access to the root user (RSYNC for example), it would be beneficial to exclude this user.
