Configure the PAM Modules for Use with DirectControl and SecurID

Configure the /etc/pam.d/system-auth File for Linux

After you’ve installed both the RSA SecurID and Server Suite Agents on a Linux computer, you’ll also need to insert a line in the /etc/pam.d/system.auth file. This change will make it so that the system prompts users for their SecurID token.

Just so that you know, this file will already have some lines at the top that were inserted by the authentication service.

To configure the Linux system authentication file so that users are prompted for the RSA token:

  • Add the following line to the beginning of the /etc/pam.d/system.auth file:

    auth required pam_securid.so

    You should restart any services that you plan to use with RSA. For example, if you’re using SSH, you should restart the SSH service.

Configure the pam.conf File for Solaris and AIX

For Solaris and AIX computers, you need to edit the /etc/pam.conf file.

To configure the Solaris or AIX system authentication file so that users are prompted for the RSA token:

In the /etc/pam.conf file, add the following code snippet to the end of the file:

# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section. sshd-kbdint auth required pam_securid.so
sshd-kbdint auth sufficient pam_centrifydc.so unix_cred
sshd-kbdint auth requisite pam_centrifydc.so deny sshd-kbdint account sufficient pam_centrifydc.so unix_cred
sshd-kbdint account requisite pam_centrifydc.so deny
sshd-kbdint session required pam_centrifydc.so
sshd-kbdint password sufficient pam_centrifydc.so ry_first_pass
sshd-kbdint auth requisite pam_authtok_get.so.1
sshd-kbdint auth required pam_dhkeys.so.1
sshd-kbdint auth required pam_unix_cred.so.1
sshd-kbdint auth required pam_unix_auth.so.1
sshd-kbdint account requisite pam_roles.so.1
sshd-kbdint account required pam_unix_account.so.1
sshd-kbdint session required pam_unix_session.so.1
sshd-kbdint password required pam_dhkeys.so.1
sshd-kbdint password requisite pam_authtok_get.so.1
sshd-kbdint password requisite pam_authtok_check.so.1
sshd-kbdint password required pam_authtok_store.so.1

You should restart any services that you plan to use with RSA. For example, if you’re using SSH, you should restart the SSH service.

Require Token Authentication for Specific Groups or Local Users

RSA supports the ability to require RSA token authentication for specific groups of users. This feature is supported when using the Authentication Service. You can specify Active Directory groups as the required group. Local groups work as well.

You can also configure the agent so that specific groups are not prompted to authenticate with the RSA SecurID token. Group members excluded from SecurID authentication can authenticate using UNIX credentials or by way of another PAM module; you can configure this

The ability to require RSA SecurID token authentication for specific groups does not work with AIX. There is a bug in the AIX OS that prevents the SecurID agent from iterating Active Directory groups.
Be sure to exclude any users that you do not want to authenticate with the RSA SecurID token. Once you’ve enabled users or groups for token authentication, then all users will be challenged for a token even if they weren’t assigned on. This situation can cause some users to be locked out of the computer that they’re trying to log in to. When you are testing this functionality, it’s a good practice to exclude the root user to avoid any complications.

To require SecurID token authentication for specific groups or users:

  1. Edit the sd_pam.conf file and add the following lines:

    #VAR_ACE :: the location where the sdconf.rec, sdstatus.12 and securid files will go
    VAR_ACE=/opt/RSA

  2. To specify specific groups to authenticate using the RSA token, first enable group support by setting the ENABLE_GROUP_SUPPORT parameter to 1, as shown below:

    #ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
    ENABLE_GROUP_SUPPORT=1

  3. To specify the list of groups that will use the RSA token, include them in the LIST_OF_GROUPS parameter, as shown below:

    #LIST_OF_GROUPS :: a list of groups to include or exclude...Example
    #LIST_OF_GROUPS=other:wheel:eng:othergroupnames
    LIST_OF_GROUPS=sampleadgroup

  4. To exclude groups from requiring the RSA token, include them in the INCL_EXCL_GROUPS parameter, as shown below:

    #INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid
    # authentication (include)
    # :: 0 to never prompt the listed groups for securid
    # authentication (exclude) INCL_EXCL_GROUPS=1

  5. (Optional) To configure what happens when an excluded user tries to authenticate, modify the PAM_IGNORE_SUPPORT parameter, as shown below:

    #PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID
    # authenticated due to their group membership
    # :: 0 to UNIX authenticate a user that is not SecurID
    # authenticated due to their group membership
    PAM_IGNORE_SUPPORT=1

  6. To specify specific users to authenticate using the RSA token, first enable user support by setting the ENABLE_USERS_SUPPORT parameter to 1, as shown below:

    #ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support
    ENABLE_USERS_SUPPORT=1

  7. To specify the list of users that will use the RSA token, include them in the LIST_OF_USERS parameter, as shown below:

    #LIST_OF_USERS :: a list of users to include or exclude...Example
    LIST_OF_USERS=localuser1:aduser2

  8. To exclude users from requiring the RSA token, include them in the INCL_EXCL_USERS parameter, as shown below:

    #INCL_EXCL_USERS :: 1 to always prompt the listed users for securid
    # authentication (include)
    # :: 0 to never prompt the listed users for securid
    # authentication (exclude) INCL_EXCL_USERS=1

  9. (Optional) To configure what happens when an excluded user tries to authenticate, modify the PAM_IGNORE_SUPPORT_FOR_USERS parameter.

You can also consult the RSA SecurID documentation for more details about configuring token authentication for groups, users, excluding users, and so forth. There are more configurations available than are presented in this document.

Configure SSH to Require SecurID

When setting up the SecurID product you must make some configuration changes to the sshd configuration files.

If you are using the Delinea openSSH product you must make some configuration changes to support token authentication. The Delinea openSSH is configured to attempt Kerberos single sign-on whenever a user logs in. This means that the user is not prompted for their user name or password. This capability must be disabled if you want to prompt users for token authentication.

To configure SSH to require a SecurID token:

  1. Edit the /etc/centrifydc/ssh/ssh_config file and comment out the lines for the following items:

    • GSSAPIAuthentication

    • GSSAPIKeyExchange

    • GSSAPIDelegateCredentials

      For example:

      # Configuration for DirectControl: Host *
      #GSSAPIAuthentication yes
      #GSSAPIKeyExchange yes
      #GSSAPIDelegateCredentials yes

  2. Edit the /etc/centrifydc/ssh/sshd_config file and comment out the lines for the following items:

    • GSSAPIKeyExchange
    • GSSAPIAuthentication
    • GSSAPICleanupCredentials

  3. In the /etc/centrifydc/ssh/sshd_config file, be sure that the PrintMotd and UsePam settings are set as followings:

    PrintMotd no
    UsePAM yes

  4. Restart sshd to ensure the changes take effect.