Softpanorama
May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Installation of SecurID Client on Suse

News SecurID

Recommended Links

Reference
PAM (Pluggable authentication modules) Linux PAM Humor Etc

For Suse 10 SP1 64-bit you need version 6 of the RSA PAM agent.  Please note that, as usual, RSA Installation guide is junk and you need to guess a lot of things to understand the technology.  Thanks God the installation script is just a Borne shell script and reading it can clarify a lot of things

Here are the steps:

Get the latest version of Ace agent from RSA site

As of Jan 2010 the latest version is still AuthenticationAgent_60_PAM_95_060308.tar

Untar files in a newly created directory

Untar SecurID client into installation directory, created, for example, your home directory.  For example

mkdir aceclient && cd aceclient

tar xvf ../AuthenticationAgent_60_PAM_95_060308.tar

Copy sdconf.rec

1. Copy the file sdconf.rec from its usual location on the ACE/Server ( /ACE/data) to the SecurID client  configuration directory (for example /var/ace).  You can also copy it from any working client (usually at /var/ace)

# mkdir /var/ace
# cp ../sdconf.rec /var/ace
# ll /var/ace
total 4
-rw-r--r-- 1 root root 1024 Jan 25 11:10 sdconf.rec

2. Important: Verify that checksum is correct with the checksum on the server that works (that helps to detect accidental errors like transferring file in text mode, getting wrong file, etc. )

# cksum sdconf.rec
2006481408 1024 sdconf.rec

Note: The installation script assumes by default that the location of  sdconf.rec. The default is recoded in the variable  VAR_ACE. You can also change the default value in the installation script to, say, /etc/ace which probably would be more logical or /opt/ace:

if [ ! -n "$VAR_ACE" ]; then
    VAR_ACE="/var/ace"
fi

Run install_pam.sh script

1. Create target directory, for example /opt/ace.

mkdir /opt/ace

2. Run install_pam.sh script and answer the question. Be careful when specifying target directory (no editing is available, you need to cancel the script is you made a typo).  

#  

ARE YOU A CUSTOMER ORDERING THIS RSA PRODUCT FROM RSA SECURITY INC., FROM EITHER NORTH AMERICA, SOUTH AMERICA OR THE PEOPLE'S REPUBLIC OF CHINA (EXCLUDING HONG KONG): (y/n) [y]y
LICENSE AGREEMENT
... ... ... 

Do you accept the License Terms and Conditions stated above? (Accept/Decline) [D]A


Enter Directory where sdconf.rec is located [/var/ace]

Please enter the root path for the RSA Authentication Agent for PAM directory [/opt]

/opt/ace 
Note: The script will also copy pam_securid.so to /lib64/security or /lib/security depending whether you are using 64-bit or 32-bit Linux 

The RSA Authentication Agent for PAM will be installed in the /opt/ace directory.
pam/
pam/doc/
pam/lib/
pam/lib/pam_securid.so
pam/bin/
pam/bin/acestatus
pam/bin/acetest
Checking /etc/sd_pam.conf:

VAR_ACE does not exist - entry will be appended
ENABLE_GROUP_SUPPORT does not exist - entry will be appended
INCL_EXCL_GROUPS does not exist - entry will be appended
LIST_OF_GROUPS does not exist - entry will be appended
PAM_IGNORE_SUPPORT does not exist - entry will be appended
AUTH_CHALLENGE_USERNAME_STR does not exist - entry will be appended
AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSCODE_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSWORD_STR does not exist - entry will be appended

*************************************************************
* You have successfully installed RSA Authentication Agent 6.0 for PAM
*************************************************************
Note the last step is the creation of  /etc/sd_pam.conf  file
#VAR_ACE ::  the location where the sdconf.rec, sdstatus.12 and securid files will go
VAR_ACE=/var/ace


#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
ENABLE_GROUP_SUPPORT=0


#INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid authentication (include)
#                 :: 0 to never prompt the listed groups for securid authentication (exclude)
INCL_EXCL_GROUPS=0


#LIST_OF_GROUPS :: a list of groups to include or exclude...Example
LIST_OF_GROUPS=other:wheel:eng:othergroupnames 


#PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership
#                   :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership
PAM_IGNORE_SUPPORT=0


#AUTH_CHALLENGE_USERNAME_STR :: prompt message to ask user for their username/login id
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :


#AUTH_CHALLENGE_RESERVE_REQUEST_STR :: prompt message to ask administrator for their System password
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :


#AUTH_CHALLENGE_PASSCODE_STR :: prompt message to ask user for their Passcode
AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE :


#AUTH_CHALLENGE_PASSWORD_STR :: prompt message to ask user for their Password
AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD :

Test connectivity to the server

  1. Cd to /opt/ace/pam/bin
  2. Detect target ACe server by running command ./acestatus, for example
    # ./acestatus
    
    RSA ACE/Server Limits
    ---------------------
    Configuration Version : 14 Client Retries : 5
    Client Timeout : 5 DES Enabled : Yes
    
    RSA ACE/Static Information
    --------------------------
    Service : securid Protocol : udp Port Number : 5500
    
    RSA ACE/Dynamic Information
    ---------------------------
    Server Release : N/A Communication : 5
    
    RSA ACE/Server List
    -------------------
    Server Name : AUTHMGR
    Server Address : 10.201.144.100
    Server Active Address : 0.0.0.0
    Master : Yes Slave : No Primary : Yes
    Usage : Default Server during initial requests
  3. Ping the target ACE server. If it is behind firewall or your server has a firewall enabled make sure that the port is opened.
  4. Important: Ask your Ace server administrator to add the server to the list of clients  (Important: this requires access to Ace server console).
  5. Try ./acetest  If the Ace server admin did his job, you should be able to connect
  6. If  test failed with the message

    # ./acetest
    Cannot communicate with the ACE/Server.

    That the server specified in your sdconf.rec file is probably incorrent or down.

    If you get prompt Enter USERNAME:  then the server has been found sucessfully.

    Enter PASSCODE:
    Unexpected error from ACE/Agent API.

     

Configure PAM

Suse has a convoluted PAM setup, with the typical for Suse and other Linux distribution perversion of using to many files and too many includes.  So modifying it for SecureID is far from being a straightforward exersize.

In the typical installation you usually want to use SecurID for all daemons except SSH (where certificates provide same level of security without paying exorbitant amount of money to RSA ;-)

There are many ways to achieve that. The one that we recommend is to modify login by commenting out three lines which are show below in green and adding  the line auth required pam_securid.so at the top:

#%PAM-1.0
auth required pam_securid.so
#auth required pam_securetty.so
#auth include common-auth
#auth required pam_nologin.so

account include common-account 
# this is just account required pam_unix2.so
password include common-password
session include common-session
session required pam_lastlog.so nowtmp
session required pam_resmgr.so
session optional pam_mail.so standard

If you in addition comment out common-password or make pam_securid.so "requisite" instead of "required" you will lose ability to use regular passwords which is useful for selected group of users (usually wheel group).

Note 1: commented out "include" common-auth contains just two lines

auth required pam_env.so
auth required pam_unix2.so

Note 2:  include common-password also contains two lines (plus one commented out line):

password required       pam_pwcheck.so  nullok
password required       pam_unix2.so    nullok use_authtok
#password required      pam_make.so     /var/yp

Preserving it allow to use regular passwords for selected users or groups (Group wheel) by additing  pam_require module.  See Wheel Group for details.

You also need to modify pure-ftp.pam as it does not use login. Add "auth required pam_securid.so" at the top and comment out "include common-auth"

#%PAM-1.0
auth required pam_securid.so
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
#auth include common-auth
auth required pam_shells.so
account include common-account
password include common-password

Note: here are RSA recommendations from the installation manual (which is very weak).

SUSE Linux Enterprise Server 9 (SP3) and 10 (64 bit):

1. Change to /etc/pam.d/ and open the login file.

auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
account include common-account
password include common-password
session include common-session
session required pam_lastlog.so nowtmp
session required pam_resmgr.so
session optional pam_mail.so standard
session required pam_limits.so # added by orarun
2. Comment out the following 3 lines:
auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
3. Replace them with the following lines:
auth required pam_securid.so
auth required pam_ldap.so
	

Top updates

Shop Amazon Cyber Monday Deals Week
Google Search


NEWS CONTENTS

Old News ;-)

Re pam_nologin as account module

On Sun, Jan 20, 2002 at 04:37:19PM -0500, Sam Hartman wrote:

> I've gotten several Debian bug reports that pam_nologin should be an
> account module so it works better with ssh.  The problem is that if
> you have RSA auth or Kerberos auth with ssh, the pam_authenticate call
> is is skipped, so if pam_nologin is in the auth stack, then it will be
> ignored.

> Clearly making pam_nologin be an account module is wrong because doing
> so would cause it to wait until after the password is entered for
> login applications.  What about allowing pam_nologin to be both an
> account and auth module?  Would this be acceptable?

I've commented before that many of the modules that ship as auth-only
would also be very useful as account modules; I never heard any
objections to that idea, it just seemed to be a question of writing the
code.

Steve Langasek
postmodern programmer

question on authentication - null passwds

Hello all,

  I am currently using pam_securid to authenticate users using RSA's securid
keychain fobs. I have a problem: If a user has anything in their password
field in /etc/shadow, the authentication fails. I would like to have
password fields in /etc/shadow with legitimate passwords otherwise I get
unwanted side-effects like users being able to 'su' to any other user with
no password.

Currently, this is my /etc/pam.d/sshd file (ssh is the only way to login to
this machine)

#%PAM-1.0
auth       required     /lib/security/pam_securid.so
auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       required     /lib/security/pam_deny.so
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_unix.so
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so

I would like to know what to take out of /etc/pam.d/sshd, system-auth or su
in order for me to authenticate with pam_securid (the only method I want
users to authenticate with), yet still have passwords
in the /etc/shadow file to prevent users from su-ing, etc.

Thanks for your help
--Eric

Re PAM SecurID

Roger E McClurg wrote:
I'm using the RSA PAM SecurID module (5.0). It authenticates users just fine, but when a token gets into new pin mode or next token mode the user does not get the prompts just a NAK. Does anyone have any experience with this?

My configuration:
radius auth required /usr/lib/security/$ISA/pam_securid.so debug
radius account required /usr/lib/security/$ISA/pam_securid.so debug
radius password required /usr/lib/security/$ISA/pam_sample.so.1

I've never used pam_securid, but should this not point to pam_securid too? It "new pin" or "next token" modes sound like they would map onto pam_chauthtok, which is what this is.

 
radius session required /usr/lib/security/$ISA/pam_sample.so.1
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

pam configuration for securID - SUSE Forums

#%PAM-1.0
auth required pam_securid.so
#auth required  pam_unix2.so # set_secrpc
auth required   pam_nologin.so
auth required   pam_env.so
account required        pam_unix2.so
account required        pam_nologin.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok
session required        pam_unix2.so    none     # trace or debug
session required        pam_limits.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session  optional      pam_resmgr.so fake_ttyname


 

Recommended Links

Softpanorama Top Visited

Softpanorama Recommended

Wiki MySecurID-page

RSA Secured Partner Solutions for RSA SecurID

Configuring SecurID Authentication

 

Reference

 

Installation and Configuration Guide

 

RSA Authentication Agents for UNIX-Linux - RSA, The Security Division of EMC

The RSA Authentication Agent for UNIX/Linux consists of two solutions:

Authentication Agent 6.0 for PAM

Supported Platforms Platform set I:

Platform set II: Platform set III:

(Other platforms will be released later)

RSA strongly recommends using OpenSSH.
PAM Agent for platform set I was qualified with OpenSSH 4.3p2.
PAM Agents for platform sets II and III were qualified with OpenSSH 4.5p1.

Other Requirements 7 MB free disk space
RSA ACE/Server 5.2, RSA Authentication Manager 6.0, or RSA Authentication Manager 6.1 or later

Pricing and Availability Download this agent for free

RSA Authentication Agent 6.0 for PAM
 

RSA Authentication Agent 5.3.4 for PAM

Supported Platforms RSA Authentication Agent 5.3.4 for PAM supports only the 32-bit version of the following operating systems:


The PAM Agent supports OpenSSH 4.1p1 for all platforms and OpenSSH 4.3p1 on Red Hat Enterprise Linux AS/ES 4.0. RSA strongly recommends using OpenSSH.

Other Requirements 6 MB free disk space
RSA ACE/Server 5.1 or later, or RSA Authentication Manager 6.0 or later

Pricing and Availability Download this agent for free
RSA Authentication Agent 5.3.4 for PAM




Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2014 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Site uses AdSense so you need to be aware of Google privacy policy. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.

Disclaimer:

The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: July 18, 2014