RSA Authentication Agent 7.

1 for PAM—Installation and Configuration Guide for RHEL

RSA Authentication Agent 7.1 for PAM—Installation

and Configuration Guide for RHEL
The RSA SecurID solution provides two-factor authentication to protect access to data
and applications. This access can be through remote dial-in connections, local access,
domain and terminal services access, Internet and VPN connections, intranet and
extranet applications.
The SecurID solution consists of an Authentication Manager server, an authentication
agent that communicates with the server, and authenticators that generate the
tokencode. The authentication agent initiates a SecurID authentication session when a
user attempts to access a protected resource. It verifies data provided by the user
against the data stored in the Authentication Manager server. Based on the result, the
user is either allowed or denied access.

Overview of the RSA Authentication Agent 7.1 for PAM

The RSA Authentication Agent 7.1 for PAM (pluggable authentication module)
enables RSA SecurID authentication on UNIX systems, using either standard or
OpenSSH connection tools.
The PAM agent uses RSA customized shared libraries, and supports several forms of
RSA SecurID authenticators for access to UNIX servers and workstations.

Agent Workflow
A machine protected by the PAM agent can be accessed either locally or remotely.

Acce s
s e s re
mo te
ly with SSH
FTP
Machine 4 cl ie n Telnet dtlogin
t
FTP Su Accesses
t rlogin Sudo locally
lie n
T e ln et C with
it h
m o te ly w n t dtlogin
s re Cl
ie
e sse client
A cc SSH Machine 1 protected by Authentication Manager
it h the PAM Agent
yw
o te l
Machine 3 em
sr
sse
ce
Ac

Machine 2

1
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

This section describes the working of the agent for PAM.

1. A user attempts to access a machine protected by the PAM agent, either locally or
remotely:
• If accessed locally, local logon tools supported such as login are used.
• If accessed remotely, remote logon tools supported such as rlogin, telnet, ssh,
and ftp are used.
2. The PAM infrastructure intercepts all logon requests, and using PAM
configuration files, arrives at the RSA module:
• If the user requesting access is not to be challenged by RSA SecurID, the RSA
PAM module allows the request to proceed.
• If the user requesting access is to be challenged by RSA SecurID, the agent
continues the authentication process.
3. The agent prompts the user for the user name.
4. The agent requests the user for the passcode.
5. The agent sends the user name and passcode to Authentication Manager in a
secure manner:
• If Authentication Manager approves the request, the agent grants access to the
user.
• If Authentication Manager does not approve the request, the agent denies
access and takes appropriate action.
In addition to providing basic access checks during standard authentication, agents
also handle several security-related housekeeping tasks, such as those related to the
Next Tokencode mode and the New PIN mode.
In the Next Tokencode mode, Authentication Manager requests for the next tokencode
displayed on the user’s token. If the next tokencode is not sent to Authentication
Manager, the authentication fails.
The Authentication Manager administrator determines if the user associated with a
particular token requires a new PIN, and also the characteristics of the PIN. In the
New PIN mode, the agent prompts the user for a new PIN, and sends the information
to Authentication Manager.

2
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

System Requirements
This section describes the minimum software requirements for installing the agent.

Requirement Support

Operating System RHEL 4.8 (ES and AS)

RHEL 5.8: 32-bit and 64-bit
RHEL 6.2: 32-bit and 64-bit
Intel Xeon: 32-bit and 64-bit
AMD Opteron: 32-bit and 64-bit
VMWare ESX 4.0
VMware VSphere 5

RSA Authentication Versions 6.1.3, 7.1 SP2, and 7.1 SP4

Manager

Tools • telnet
• login
• rlogin
• su
• ssh (ssh, sftp and scp)
• sudo
• ftp (limited to a single transaction)
• gdm

OpenSSH (Optional) 6.0 P1

OpenSSH tools (Optional) • ssh

• sftp
• scp

Prerequisites
You must ensure that you have the following, to be able to install the agent.

 You have root permissions on the agent host.

 You have created an installation directory on the machine on which

you are installing the PAM agent.

 You have the latest version of the sdconf.rec file from RSA
Authentication Manager stored in an accessible directory, such as
/var/ace, on the agent host.

3
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

 The root administrator on the host has write permission to the

directory in which the sdconf.rec file is stored.

 You have created an agent host record for the PAM agent in the
Authentication Manager database. For more information, see the
RSA Authentication Manager documentation.

 If you are using OpenSSH, you must have the additional software
required for compiling source code. This software is available at
www.OpenSSH.org. This web site contains important information
about using open source software, such as the required compiling
tools and other prerequisites.

 The agent host IP address is specified. For more information see

“Specify the Agent Host IP Address” on page 4.

Installing the RSA Authentication Agent 7.1 for PAM

Installing the PAM agent involves setting up your environment and running the
installation script. This section describes these tasks.
Complete the following tasks to install the agent:
• Specify the Agent Host IP Address
• Configure SSH
• Install the PAM Agent
• Perform a Test Authentication

Specify the Agent Host IP Address

To specify the agent host IP address:
1. On the agent host, use any text editor to create an sdopts.rec file in the path where
the sdconf.rec file is saved.
2. Type:
CLIENT_IP=x.x.x.x
where x.x.x.x is the IP address of the agent host

Note: Use only uppercase letters, and do not include any spaces.

3. Save the file.

The agent host uses the IP address that you specified to communicate with the
Authentication Manager.

4
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Configure SSH
The PAM agent is compatible with OpenSSH. To display passcode authentication
messages to users, the sshd_config file must be edited. To do this, you must have
successfully downloaded and installed the OpenSSH software, and configured the
PAM modules to work with OpenSSH. Refer to the OpenSSH documentation for any
installation information.

To display passcode authentication messages to users:

1. Open the sshd_config file.
2. Set the UsePAM parameter to yes.
3. Set the PasswordAuthentication parameter to no.
This disables the OpenSSH password prompt so that the PAM agent is used
instead. As a result, the user is prompted for an RSA SecurID passcode only.
4. Set the UsePrivilegeSeparation parameter to no.
5. Set the ChallengeResponseAuthentication parameter to yes.

Install the PAM Agent

To install the PAM agent:
1. Change to the PAM agent installer directory.
2. Untar the file by typing:
tar -xvf <filename.tar>
3. Run the install script by typing:
/<filename>/install_pam.sh
4. Follow the prompts until you are prompted for the sdconf.rec directory:
• If the path is correct, press ENTER.
• If the path is incorrect, enter the correct path.
5. For each of the subsequent installation prompts, press ENTER to accept the
default value, or enter the appropriate value.

Note: After installation, check that VAR_ACE in the /etc/sd_pam.conf file points to
the correct location of the sdconf.rec file. This is the path to the configuration files.
The whole path must have -rw------- root permission.

Perform a Test Authentication

You must perform a test authentication to ensure that the PAM agent is functioning
properly. For information on how to perform a test authentication, see “acetest” on
page 16.

5
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Upgrading to the PAM 7.1 Agent

You can upgrade only from version 6.0 and 7.0. Back up the configuration files before
overwriting to save the configuration settings, if required.

Before You Begin

Configure the RSA SecurID protected tools to use the standard PAM module provided
with your operating system.

Important: Make sure that the RSA SecurID protected tools are using the standard
PAM modules and not the RSA PAM module. Any active sessions using the RSA
PAM modules must be closed before you proceed with the upgrade to ensure that the
upgrade is successful.

To upgrade to version 7.1 of the agent, complete the following tasks:

1. Install the PAM Agent.
2. Overwrite the existing installation files.
3. Type y, when the installer prompts you to overwrite your current installation.
4. Run the Conversion Utility.

Note: This step is only required for upgrading from version 6.0 to 7.1.

Obtain the Agent Version Number

To obtain the version number of the installed agent for PAM:
1. Change to the <PAM Agent Install Directory>\lib\<bit version> directory.
2. Type the following line:
strings pam_securid.so | grep "Agent"
This returns the version number of the installed agent.

Configuring Tools
This section describes how to configure supported tools to work with the PAM agent.
• Configure su
• Configure telnet
• Configure login
• Configure ssh and Related Tools
• Configure rlogin
• Configure ftp

6
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

• Configure sudo
• Configure gdm

Configure su
To configure su to work with the PAM agent:
1. Change to /etc/pam.d directory.
2. Open the su file.
3. Comment any lines with "auth."
4. Add the line:
auth required pam_securid.so

Configure telnet
To configure telnet to work with the PAM agent:

Note: PAM Agent 7.1 does not support kerberos telnet.

1. Change to the /etc/pam.d directory.

2. Open the remote file.
3. Comment any lines containing "auth."
4. Add the line:
auth required pam_securid.so

Configure login
To configure login to work with the PAM agent:
1. Change to the /etc/pam.d directory.
2. Open the login file.
3. Comment lines containing "auth."
4. Add the line:
auth required pam_securid.so

Configure ssh and Related Tools

To configure ssh and related tools such as scp and sftp to work with the PAM
agent:
1. Change to the /etc/pam.d directory.
2. Open the sshd file.
3. Comment lines containing "auth."
4. Add the line:
auth required pam_securid.so

7
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Configure rlogin
To configure rlogin to work with the PAM agent:
1. Change to the /etc/pam.d directory.
2. Open the rlogin file.
3. Comment lines containing "auth."
4. Add the line:
auth required pam_securid.so

Configure ftp
To configure ftp to work with the PAM agent:
1. Change to the /etc/pam.d directory.
2. Open the vsftpd file.
3. Comment lines containing "auth."
4. Add the line:
auth required pam_securid.so

Configure sudo
To configure sudo to work with the PAM agent:
1. Change to the /etc/pam.d directory.
2. Open the sudo file.
3. Comment all the lines in the authentication section.
4. Add the line:
auth required pam_securid.so

Configure gdm
To configure gdm to work with the PAM agent:
1. Change to the /etc/pam.d directory.
2. Modify the gdm, gdm-password and gdm-autologin files as follows:
a. Open each gdm file.
b. Comment all the lines in the authentication section.
c. Add the line:
auth required pam_securid.so

8
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Configuring the Agent

You can customize the PAM agent configuration to use the agent features, and the
UNIX features supported by the agent. Before you make any configuration changes,
make backup copies of the original configuration files.
On Linux, multiple configuration files are located in the /etc/pam.d directory. Each
file uses the name of the connection tool.

Follow the steps below to configure various features on the agent:

• Enable Debug Output
• Enable SecurID Trace Logging
• Configure Stackable Modules
• Use Reserve Passwords
• Enable Selective SecurID Authentication
• Configure Exponential Backoff Time

Enable Debug Output

To enable debug output for the PAM agent, edit the configuration file by adding a
debug argument as described below. For more information, see “System Log
Messaging” on page 19.

To enable debug output for the PAM agent:

1. Change to /etc/pam.d
2. Edit the appropriate file by adding a debug argument for the pam_securid.so
module. Type:
auth required pam_securid.so debug

Enable SecurID Trace Logging

To enable logging for the PAM agent and for the authentication utilities acetest and
acestatus, set the following variables in the /etc/sd_pam.conf file.
• RSATRACELEVEL=<value>
This variable enables detailed agent logging and sets the level of logging. The
default value is 0.

Value Description

0 Disables logging

1 Logs regular messages

2 Logs function entry points

4 Logs function exit points

9
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Value Description

8 All logic flow controls use this (ifs)

Note: For combinations, add the corresponding values. For example, to log
regular messages and function entry points, set the value to 3.

• RSATRACEDEST=<filepath>
Specify the file path where the logs must be redirected. By default this is blank. If
you do not set this variable in /etc/sd_pam.conf, the logs go to standard error for
authentication utilities acetest and acestatus, and no logs are generated for
authentication tools, even if the RSATRACELEVEL value has been specified.

Note: Default values refer to values when the agent is installed.

Configure Stackable Modules

The PAM agent can be used in a stacked configuration. You can use the agent to
integrate the RSA SecurID PAM authentication module with other PAM
authentication modules in your environment. You can configure the priority of
authentication challenges by editing the appropriate configuration file—
/etc/pam.d/<tool name>.
In a stacked configuration, the password or passcode is passed from the previous
authentication module. The agent also passes parameters to the next authentication
module, and is qualified to work with the arguments—use_first_pass and
try_first_pass:
use_first_pass. When this argument is used, the agent uses only the password or
passcode passed from the previous module, and denies access if the credentials do
not match. The user is not prompted for authentication again.
try_first_pass. When this argument is used, the agent uses the password or
passcode passed from the previous module. If the credentials do not match, the
user is prompted for authentication.

Important: When users excluded from SecurID authentication make failed login
attempts to access the RSA PAM module, the exponential backoff feature ensures that
RSA PAM module retains control until login is successful or the authentication
session ends. For more information on configuring exponential backoff time, refer to
Configure Exponential Backoff Time.

The following section describes how to configure a connection tool (login tool) in a
stacked environment on RHEL 4.8.

10
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

To configure the connection tool (login) to work in a stacked environment:

1. Change to /etc/pam.d and open the login file.
The following text is displayed:
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_selinux.so open
2. Comment the following lines:
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
3. Add the following lines. Type:
auth required pam_securid.so
auth required pam_ldap.so

Use Reserve Passwords

The PAM agent allows reserve passwords to be used by root administrators only.
Reserve passwords allow administrators access to hosts during unforeseen
circumstances, such as loss of communication between the agent and Authentication
Manager. In these situations, administrators have the ability to temporarily disable the
agent, if users require immediate access to the hosted resources.

Note: The UNIX password serves as the reserve password.

To configure the tool to use reserve passwords:

1. Open the appropriate file in /etc/pam.d.

2. Add a reserve argument to the pam_securid.so module. Type:
auth required pam_securid.so reserve

11
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Enable Selective SecurID Authentication

You can follow the steps below to configure the agent to selectively always
prompt or never prompt users or groups for authentication:
• Enable Selective SecurID Authentication for UNIX Groups
• Enable Selective SecurID Authentication for UNIX Users

Note: When selective group support and selective user support are both
enabled, selective user support is considered.

The following table lists the possible values which can be set in the sd_pam.conf file.

ENABLE_GROUPS ENABLE_USERS
Result
_SUPPORT _SUPPORT

0 0 Neither feature is enabled.

0 1 Selected User support is enabled.

1 0 Selected Group support is enabled.

1 1 Selected User support is enabled.

Enable Selective SecurID Authentication for UNIX Groups

You can configure the PAM agent to always prompt specific groups to authenticate
with SecurID, or to never prompt specific groups to authenticate with SecurID.
Group members excluded from SecurID authentication can be authenticated either
with UNIX credentials or through another PAM module in the stack. This can be
configured with the PAM_IGNORE_SUPPORT parameter.

Note: Do not specify Authentication Manager groups. This feature is for UNIX
groups only.

To enable selective SecurID Authentication for UNIX groups:

1. Change to the /etc directory, and open the sd_pam.conf file.
2. Set the ENABLE_GROUP_SUPPORT parameter to 1. The default value is 0.
3. Populate the LIST_OF_GROUPS parameter.
4. Set the value for the INCL_EXCL_GROUPS parameter.
The possible values are:
• 0—Disable SecurID authentication for the listed groups.
• 1—Enable SecurID authentication only for the listed groups.
The default value is 0.

12
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

5. (Optional) Set the PAM_IGNORE_SUPPORT parameter.

The possible values are:
• 0—Enable UNIX password authentication.
• 1—Disable UNIX password authentication.
The default value is 0.

Note: This parameter is applicable only to groups excluded from SecurID

authentication.

6. Save the file.

Note: Default values refer to values when the agent is installed.

Enable Selective SecurID Authentication for UNIX Users

You can configure the PAM agent to always prompt specific users to authenticate with
SecurID, or to never prompt specific users to authenticate with SecurID.
Users excluded from SecurID authentication can be authenticated either with UNIX
credentials or through another PAM module in the stack. This can be configured with
the PAM_IGNORE_SUPPORT_FOR_USERS parameter.

To enable selective SecurID Authentication for UNIX users:

1. Change to the /etc directory, and open the sd_pam.conf file.
2. Set the ENABLE_USERS_SUPPORT parameter to 1. The default value is 0.
3. Populate the LIST_OF_USERS parameter.
4. Set the value for the INCL_EXCL_USERS parameter.
The possible values are:
• 0—Disable SecurID authentication for the listed users.
• 1—Enable SecurID authentication only for the listed users.
The default value is 0.
5. (Optional) Set the PAM_IGNORE_SUPPORT_FOR_USERS parameter.
The possible values are:
• 0—Enable UNIX password authentication.
• 1—Disable UNIX password authentication.
The default value is 0.

Note: This parameter is applicable only to users excluded from SecurID

authentication.

6. Save the file.

Note: Default values refer to values when the agent is installed.

13
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Configure Exponential Backoff Time

The PAM Agent allows you to configure the time required to authenticate after each
successive failed login attempt for a user excluded from SecurID authentication.The
default value for this parameter is set to 4.
This can be configured with the
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS parameter.

To configure exponential backoff time:

1. Change to the /etc directory, and open the sd_pam.conf file.
2. Set the BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS parameter
to N. N can be configured as follows:

N Authentication behavior

0 Disable retry UNIX

authentication after failed
login attempt

1,2,3 Enable retry UNIX

authentication after failed
login attempt but treated
setting as pow(3,
failattempts) sec delay

4 Enable retry UNIX

authentication after failed
login attempt with pow(4,
failattempts) sec delay

5/Above Enable retry UNIX

authentication after failed
login attempt with
pow(5/Above, failattempts)
sec delay

Important: If the
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS parameter is
set to 0, there will be no authentication delay for login attempts that follow a
failed login attempt. If you are using an older version of the PAM Agent
configuration file in which the
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS parameter is
not present then PAM Agent 7.1 will set
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS=4.

14
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Known Configuration Issues

This section describes known issues with tools on RHEL.

Tool Known Issue

ftp • When you use SecurID to protect ftp, the SecurID

authentication prompts and error messages are not
displayed to users. Only standard operating system (OS)
prompts and error messages are displayed.

Note: Users must enter their user name at the OS user

name prompt, and their SecurID passcode at the OS
password prompt.
If a user is uncertain as to the status of a token (for
example, if the token is in the Next Tokencode mode, or
the New PIN mode), the user must to authenticate with
another connection tool, such as rlogin to verify that the
PIN or tokencode is still valid.

• FTP does not support Exponential Backoff Delay

ssh After three unsuccessful SecurID authentication attempts

are made in a single session, the connection is closed. You
must terminate the session, and start another session.

rlogin If the first attempt to process an rlogin request fails, the

session is handed off to the login daemon. Therefore, if
you configure Linux to use rlogin, you must configure the
remote file in /etc/pam.d.

gdm PAM agent messages may get truncated. The gdm theme
can be configured appropriately to avoid this issue.

Uninstall the RSA Authentication Agent 7.1 for PAM

This section provides information on how to uninstall the 7.1 agent for PAM.

Before you Begin

1. Configure the RSA SecurID protected tools to use the standard PAM module
provided with your operating system.

Important: Make sure that the RSA SecurID protected tools are using the
standard PAM modules and not the RSA PAM module. Any active sessions
using the RSA PAM modules must be closed before you proceed with
uninstallation to ensure that the uninstall is successful.

2. Verify that you have root permissions on the host.

15
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

To uninstall the PAM agent:

1. Change to the PAM agent home directory.
2. Run the uninstall script. Type:
./uninstall_pam.sh

Next Step
Verify that the installation directory has been removed. If the directory still exists, you
must remove it manually.

Troubleshooting
This section describes how to troubleshoot using the various utilities of the PAM
agent.

Upgrade and Uninstall

If an administrator tries to upgrade to PAM agent 7.1 or uninstall PAM agent 7.1
without disabling the RSA PAM module, the administrator may get an error message:
‘pam_securid.so is busy, not able to remove/replace’.
To resolve this issue administrator will have to login with tools other than ssh and
remove pam_securid.so.

Authentication Utilities
The authentication utilities are located in the following directories:
• 32-bit operating system: <pam agent home>/bin/32bit
• 64-bit operating system: <pam agent home>/bin/64bit
Use these utilities to:
• Perform a test authentication. For more information, see “acetest.”
• Verify communication between the PAM agent and the Authentication Manager.
For more information, see “acestatus.”
You can enable logging for these utilities. For more information, see “Enable SecurID
Trace Logging” on page 9.

acetest
This utility checks that the agent is functioning properly, by performing a test
authentication.

To perform a test authentication:

1. Change to the PAM agent authentication utilities directory.
2. Type:
./acetest
3. Enter a valid user name and passcode.

16
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

If you are repeatedly denied access, test the Authentication Manager status. For more
information, see “acestatus” on page 17, or contact your Authentication Manager
administrator.

acestatus
This utility checks the status of each Authentication Manager on which the PAM agent
is registered as an agent host.

To check the Authentication Manager status:

1. Change to the PAM agent utilities directory.
2. Type:
./acestatus
This gives information on the Authentication Manager server including server name
and address.

Note: If you have questions concerning any of the following information, contact your
Authentication Manager administrator.

The following table lists the information displayed in the Authentication Manager
section.

Returned Information Description

Configuration Version The version of the sdconf.rec file that is in use. For
Authentication Manager 5.1 or later, this number is
14.

DES Enabled If your configuration environment supports legacy

protocols, YES is displayed.

Client Retries The number of times the PAM agent sends

authentication data to Authentication Manager
before a time-out occurs.

Client Timeout The amount of time (in seconds) that the PAM agent
waits before resending authentication data to
Authentication Manager.

Server Release The version number of Authentication Manager.

Communication The protocol version used by Authentication

Manager and the PAM agent.

17
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

The following table lists the status information displayed in the Authentication
Manager section.

Status Information Description

Server Active Address The IP address that the PAM agent uses to
communicate with the server. This address could be
the actual IP address of the server you have selected,
or it could be an alias IP address assigned to the
server. An IP address of 0.0.0.0 indicates that the
agent has not yet received communication from the
server.

The following table lists the server status information displayed in the Authentication
Manager section.

Server Status Description

Available for This server is available to handle authentication

Authentications requests.

Unused The server has not yet received an authentication

request.

For Failover only The server is reserved for failover use only.

Default Server During Only this server is available to handle requests at this
initial requests time.

Conversion Utility
The conversion utility is used when:
• Upgrading to the 7.1 agent.
• The PAM agent co-exists with other SecurID agents.

ns_conv_util
The conversion utility ns_conv_util is located in the following directories:
• 32-bit operating system: <pam agent home>/bin/32bit
• 64-bit operating system: <pam agent home>/bin/32bit and <pam agent
home>/bin/64bit

To run the conversion utility:

1. Change to the PAM agent utilities directory.
2. Type ./ns_conv_util. and give the path to the existing SecurID file location in the
machine as first parameter and new destination location of SecurID file as the
second parameter.
./ns_conv_util <Existing_Securid_file_path>

18
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

<New_Securid_dir_path>
where:
• Existing_Securid_file_path is the path where the SecurID file exists.
• New_Securid_dir_path is the directory where the newly generated SecurID
file should be stored.
For example:
./ns_conv_util /var/ace/securid /var/ace_pam/
If the new destination location is not the same as the location pointed out by
VAR_ACE, you must copy the new securid file to this location.

System Log Messaging

By default, several PAM agent authentication messages are recorded in the system
log. For tracing purposes, you can configure your system log to record all PAM agent
authentication log messages. See “Enable Debug Output” on page 9.

Configure the System Log

To send all authentication messages to the system log:

1. Change to the /etc/ directory.
2. Open the syslog.conf file.
3. Add auth.notice parameter to the line that specifies your system log file.
4. Remove the authpriv.none parameter, if it is specified for the system log file.
5. If you are using telnet or login, add authpriv.notice parameter to the line that
specifies the system log file.
6. Save your changes.
7. Restart the syslog daemon.

PAM Agent Authentication Log Messages

The following table lists the authentication log messages.

Message Description

Cannot locate The configuration file sd_pam.conf is not in

sd_pam.conf file the /etc directory; /etc must contain the
correct configuration file so that the
VAR_ACE can be set properly.

AceInitialize failed AceInitialize is an API function call that

initializes worker threads, and loads
configuration settings from sdconf.rec.
Verify that you have the latest copy of
sdconf.rec from your Authentication
Manager administrator and that the
VAR_ACE is set properly.

19
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Message Description

Cannot communicate with Either the Authentication Manager brokers

RSA ACE/Server are not started, or there has been a network
failure. Contact your Authentication
Manager administrator or your network
administrator.

Reserve password exceeds The maximum character limit for reserve

character limit passwords is 256 characters.

Invalid reserve password The reserve password is the same as the

system password for the host. You must
know this password if Authentication
Manager is unable to process authentication
requests.

User name exceeds The user name must not exceed 31

character limit characters.

Reserve password not Verify that you are a root user. Only root
allowed. User is not root. users can use the reserve password.

Critical File Information

In addition to the binaries (pam_securid.so, acetest, acestatus, and ns_conv_util),
the PAM agent maintains the critical files listed in the following table.

File Description

sdconf.rec This file is generated by Authentication Manager server,

and contains configuration information that controls the
behavior of the PAM agent. This file permission should
be -rw------- root root.

sdstatus.1 This file is generated by the authentication API to track

the last known status of the SecurID Authentication
Manager servers. This file permission should be
-rw------- root root.

securid This file contains a shared secret key used to protect the
communication between the local machine and
Authentication Manager. The name of this file is derived
from the local system's configured protocol name for the
port over which the agent communicates with
Authentication Manager, usually via the "services" file.
This file permission should be -r-------- root root.
However, it also depends on the OS Umask setting.

20
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

File Description

/etc/sd_pam.co Contains configuration settings that control behavior of

nf the PAM agent. This file permission should be -rw-r--r--
root root.

SELinux

Custom Path
When SELinux is enabled, custom path settings for VAR_ACE and
RSATRACEDEST will not work
Workaround: The administrator has to perform the following steps to enable custom
path settings:
1. semanage fcontext -a -t var_t<custom_directory_path>
2. restorecon _R <custom_directory_path>

SELinux for RHEL 6.2

This section describes the commands and utilities required for managing and
troubleshooting SELinux for RHEL 6.2.

To manage and troubleshoot SELinux (32-bit):

1. Install the following RPMs, as prerequisites to policycoreutils-python:
• rpm -ivh setools-libs-3.3.7-4.el6.i686.rpm
• rpm -ivh setools-libs-python-3.3.7-4.el6.i686.rpm
• rpm -ivh audit-libs-python-2.1.3-3.el6.i686.rpm
• rpm -ivh libsemanage-python-2.0.43-4.1.el6.i686.rpm
2. Install policycoreutils-python.
rpm -ivh policycoreutils-python-2.0.83-19.18.el6.i686.rpm

Note: Policycoreutils-python provides utilities such as semanage,audit2allow,

audit2why and chchat.

3. Install the following RPMs, as prerequisites to settroubleshoot-server:

rpm -ivh setroubleshoot-plugins-3.0.16-1.el6.noarch.rpm --nodeps
4. Install setroubleshoot-server.
rpm -ivh setroubleshoot-server-3.0.38-2.1.el6.i686.rpm

Note: Setroubleshoot-server translates denial messages, produced when

SELinux denies access, into detailed descriptions that are viewed with sealert
(provided by this package).

5. Run the following command to troubleshoot SELinux. Type:

auditd

21
 RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

6. Access the following files depending on the type of error messages, that you want
to view:
• For the “SELinux is preventing” type of error messages, see the
etc/var/log/messages file
• For the “access denied” type of error messages, see the
etc/var/log/audit/audit.log file

Note: These files contain the log IDs corresponding to the error message.

7. Run the following command to resolve the errors. Type:

sealert log ID
where log ID is the log ID corresponding to the error message.

Configuring Tools

rlogin
Rlogin prompts for a password instead of a passcode, when ambiguous entries are
present in /etc/hosts file.
Workaround: If a machine name exists next to the loopback IP address and actual
machine address, then remove the machine name next to the loopback IP address;
rlogin will then behave as expected.
When a user tries to access the system using rlogin tool and enters wrong credentials,
the system redirects the authentication process to the telnet tool, and the system may
prompt for password/passcode as per the telnet configuration.
Workaround: When rlogin is protected with SecurID, telnet must also be protected
with SecurID and vice versa.

Support and Service

RSA SecurCare Online https://knowledge.rsasecurity.com

Customer Support Information www.rsa.com/support

RSA Secured Partner Solutions Directory www.rsasecured.com

RSA SecurCare Online offers a knowledgebase that contains answers to common

questions and solutions to known problems. It also offers information on new releases,
important technical news, and software downloads.
The RSA Secured Partner Solutions Directory provides information about third-party
hardware and software products that have been certified to work with RSA products.
The directory includes Implementation Guides with step-by-step instructions and
other information about interoperation of RSA products with these third-party
products.

22
RSA Authentication Agent 7.1 for PAM—Installation and Configuration Guide for RHEL

Before You Call Customer Support

Make sure that you have direct access to the computer running the RSA
Authentication Agent for PAM software.
Please have the following information available when you call:
 Your RSA Customer/License ID.
 RSA Authentication Agent for PAM software version number.
 The make and model of the machine on which the problem occurs.
 The name and version of the operating system under which the problem occurs.

Copyright © 2007-2013 EMC Corporation. All Rights Reserved.

January 2013

Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC
Corporation in the United States and/or other countries. All other trademarks used herein are
the property of their respective owners. For a list of RSA trademarks, go to
www.rsa.com/legal/trademarks_list.pdf.

23