|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
For Suse 10 SP1 64-bit you need version 6 of the RSA PAM agent. Please note that, as usual, RSA Installation guide is junk and you need to guess a lot of things to understand the technology. Thanks God the installation script is just a Borne shell script and reading it can clarify a lot of things
Test connectivity to the server
Untar SecurID client into installation directory, for example, in you home directory.
Copy the file sdconf.rec from its usual location on the ACE/Server ( /ACE/data) to the SecurID client configuration directory (for example /var/ace or /etc/ace).
Export global variable VAR_ACE with the value of this directory. If you do not do that the script will assume VAR_ACE=/var/ace. You do not need to do it if /var/ace is an OK location for you purposes. You can also change it in the installation script to, say, /etc/ace or /opt/ace:
if [ ! -n "$VAR_ACE" ]; then
VAR_ACE="/var/ace"
fi
# ./install_pam.sh ARE YOU A CUSTOMER ORDERING THIS RSA PRODUCT FROM RSA SECURITY INC., FROM EITHER NORTH AMERICA, SOUTH AMERICA OR THE PEOPLE'S REPUBLIC OF CHINA (EXCLUDING HONG KONG): (y/n) [y]y LICENSE AGREEMENT ... ... ... Do you accept the License Terms and Conditions stated above? (Accept/Decline) [D]A Enter Directory where sdconf.rec is located [/var/ace] Please enter the root path for the RSA Authentication Agent for PAM directory [/opt] /opt/ace
Note: The script will also copy pam_securid.so to /lib64/security or /lib/security depending whether you are using 64-bit or 32-bit Linux The RSA Authentication Agent for PAM will be installed in the /opt/ace directory. pam/ pam/doc/ pam/lib/ pam/lib/pam_securid.so pam/bin/ pam/bin/acestatus pam/bin/acetest
Checking /etc/sd_pam.conf: VAR_ACE does not exist - entry will be appended ENABLE_GROUP_SUPPORT does not exist - entry will be appended INCL_EXCL_GROUPS does not exist - entry will be appended LIST_OF_GROUPS does not exist - entry will be appended PAM_IGNORE_SUPPORT does not exist - entry will be appended AUTH_CHALLENGE_USERNAME_STR does not exist - entry will be appended AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist - entry will be appended AUTH_CHALLENGE_PASSCODE_STR does not exist - entry will be appended AUTH_CHALLENGE_PASSWORD_STR does not exist - entry will be appended ************************************************************* * You have successfully installed RSA Authentication Agent 6.0 for PAM *************************************************************Note that the last step is the creation of /etc/sd_pam.conf file
#VAR_ACE :: the location where the sdconf.rec, sdstatus.12 and securid files will go VAR_ACE=/var/ace #ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support ENABLE_GROUP_SUPPORT=0 #INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid authentication (include) # :: 0 to never prompt the listed groups for securid authentication (exclude) INCL_EXCL_GROUPS=0 #LIST_OF_GROUPS :: a list of groups to include or exclude...Example LIST_OF_GROUPS=other:wheel:eng:othergroupnames #PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership # :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership PAM_IGNORE_SUPPORT=0 #AUTH_CHALLENGE_USERNAME_STR :: prompt message to ask user for their username/login id AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : #AUTH_CHALLENGE_RESERVE_REQUEST_STR :: prompt message to ask administrator for their System password AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root : #AUTH_CHALLENGE_PASSCODE_STR :: prompt message to ask user for their Passcode AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE : #AUTH_CHALLENGE_PASSWORD_STR :: prompt message to ask user for their Password AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD :
there are several ways to configure PAM.
The first is to modify login
#%PAM-1.0
auth required pam_securid.so
#auth required pam_securetty.so
#auth include common-auth
#auth required pam_nologin.so
account include common-account
password include common-password
session include common-session
session required pam_lastlog.so nowtmp
session required pam_resmgr.so
session optional pam_mail.so standard
In this case for those accounts which do not have password locked in shadow file there will be failover to regular authentication
The second is to modify /etc/pam.d/common-password
# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix2 in combination # with pam_pwcheck. # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # # To enable Blowfish or MD5 passwords, you should edit # /etc/default/passwd. # # Alternate strength checking for passwords should be configured # in /etc/security/pam_pwcheck.conf. # # pam_make can be used to rebuild NIS maps after password change. # password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_authtok #password required pam_make.so /var/yp
You can copy this file into, say admin-password to use with those daemons you do not want to authenticate via SecurID (for example SSH).
After that you can modify /etc/pam.d/common-password in the following way:
# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords. The default is pam_unix2 in combination # with pam_pwcheck. # The "nullok" option allows users to change an empty password, else # empty passwords are treated as locked accounts. # # To enable Blowfish or MD5 passwords, you should edit # /etc/default/passwd. # # Alternate strength checking for passwords should be configured # in /etc/security/pam_pwcheck.conf. # # pam_make can be used to rebuild NIS maps after password change. # # password required pam_pwcheck.so nullok # password required pam_unix2.so nullok use_authtok # password required pam_make.so /var/yp auth required pam_securid.so
Note that by excluding pam_unix2.so you burn the bridges -- the is no fallout to regular password so one service (for example ssh) should be kept with regular authentication but very limited number of users who can access it. This is the recommended solution as in many corporations this fallout essentially is not controlled and defeat the purpose of Secure-ID.
You might need to comment out lines
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
as recommended by RSA.
Note: here are RSA recommendations from the installation manual (which is a joke). They are definitely outdated and incomplete:
SUSE Linux Enterprise Server 9 (SP3) and 10 (64 bit):
1. Change to /etc/pam.d/ and open the login file.
auth required pam_securetty.so auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session session required pam_lastlog.so nowtmp session required pam_resmgr.so session optional pam_mail.so standard session required pam_limits.so # added by orarun2. Comment out the following 3 lines:auth required pam_securetty.so auth include common-auth auth required pam_nologin.so3. Replace them with the following lines:auth required pam_securid.so auth required pam_ldap.so
On Sun, Jan 20, 2002 at 04:37:19PM -0500, Sam Hartman wrote: > I've gotten several Debian bug reports that pam_nologin should be an > account module so it works better with ssh. The problem is that if > you have RSA outh or Kerberos auth with ssh, the pam_authenticate call > is is skipped, so if pam_nologin is in the auth stack, then it will be > ignored. > Clearly making pam_nologin be an account module is wrong because doing > so would cause it to wait until after the password is entered for > login applications. What about allowing pam_nologin to be both an > account and auth module? Would this be acceptable? I've commented before that many of the modules that ship as auth-only would also be very useful as account modules; I never heard any objections to that idea, it just seemed to be a question of writing the code. Steve Langasek postmodern programmer
Hello all, I am currently using pam_securid to authenticate users using RSA's securid keychain fobs. I have a problem: If a user has anything in their password field in /etc/shadow, the authentication fails. I would like to have password fields in /etc/shadow with legitimate passwords otherwise I get unwanted side-effects like users being able to 'su' to any other user with no password. Currently, this is my /etc/pam.d/sshd file (ssh is the only way to login to this machine) #%PAM-1.0 auth required /lib/security/pam_securid.so auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth required /lib/security/pam_deny.so auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_limits.so session optional /lib/security/pam_console.so I would like to know what to take out of /etc/pam.d/sshd, system-auth or su in order for me to authenticate with pam_securid (the only method I want users to authenticate with), yet still have passwords in the /etc/shadow file to prevent users from su-ing, etc. Thanks for your help --Eric
Roger E McClurg wrote:I'm using the RSA PAM SecurID module (5.0). It authenticates users just fine, but when a token gets into new pin mode or next token mode the user does not get the prompts just a NAK. Does anyone have any experience with this?
My configuration:
radius auth required /usr/lib/security/$ISA/pam_securid.so debug
radius account required /usr/lib/security/$ISA/pam_securid.so debug
radius password required /usr/lib/security/$ISA/pam_sample.so.1
I've never used pam_securid, but should this not point to pam_securid too? It "new pin" or "next token" modes sound like they would map onto pam_chauthtok, which is what this is.
radius session required /usr/lib/security/$ISA/pam_sample.so.1-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
#%PAM-1.0
auth required pam_securid.so
#auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
account required pam_unix2.so
account required pam_nologin.so
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none # trace or debug
session required pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session optional pam_resmgr.so fake_ttyname
By leveraging the strength of RSA SecurID® and the flexibility of PAM, organizations can eliminate security risks associated with using static passwords for user authentication. While enhancing security, the RSA SecurID solution can help organizations reduce Help desk costs from password-related calls and increase user productivity.