Enable Linux password authentication along with RSA Authentication Agent for PAM
Originally Published: 2015-08-27
Article Number
Applies To
RSA Product/Service Type: Authentication Agent for PAM
Issue
- Add the Unix password as an extra layer of security along with the passcode (PIN + tokencode); or
- Enable some users to login with their passwords only without the passcode.
Tasks
- Configure the pam.d config file that corresponds to the service for which you want to configure SecurID access (e.g., sshd, su, sudo).
- Configure the SecurID PAM module configuration file (sd_pam.conf).
- This article assumes that the basic configuration steps were made for the specific module that are included in the RSA SecurID Authentication Agent 8.1 for PAM.
- In this article we review editing the SSH service as an example.
Resolution
Scenario 1
Enable SecurID users in the challenge group to enter a passcode (PIN + tokencode) then the system password while users who are not part of SecurID challenge group only enter their system password- Login to the server on which the RSA Authentication Agent for PAM is installed.
- Change to root:
sudo su - root
- Navigate to /etc/pam.d:
cd /etc/pam.d
- Make a copy of the sshd file:
cp ./sshd > ./sshd.rsabackup
- Using a text editor, edit /etc/pam.d/sshd:
vim /etc/pam.d/sshd
- Modify the file so the pam_securid.so and pam_unix.so values are as follows:
auth required pam_securid.so auth required pam_unix.so
- Edit the sd_pam.conf to ignore users that are not in the SecurID challenge group:
- Login to the server on which the PAM agent is installed.
- Change to root:
su - root
-
Navigate to /etc:
cd /etc
- Take a backup of the sd_pam.conf file.
cp ./sd_pam.conf > ./sd_pam.conf.rsabackup
- Edit the sd_pam.conf:
vim /etc/sd_pam.conf
- Here is where you configure to ignore users who are not challenged by SecurID; meaning if, from this same file, you excluded users or groups from SecurID authentication, then the SecurID PAM module will be transparent to them, and from the configuration in the previous file we see it will jump directly to the Unix system password challenge only. To do this, add the following entries to the file with a value of 1 to ignore users and groups:
PAM_IGNORE_SUPPORT_FOR_USERS=1 PAM_IGNORE_SUPPORT=1
Scenario 2
Users that are part of the SecurID challenge group are prompted for a passcode while all other users are prompted for their system password or another default authentication method.This methodology is used when you want users who are part of a SecurID challenge group to be prompted for a passcode and users not in the challenge group to authenticate with only a system password or whatever the customer set as the default authentication method, other than SecurID.
Note: Configuring an authentication method other than SecurID is out of this article's scope. The customer is to configure whatever authentication method required to meet corporate requirements.
- Login to the server on which the RSA Authentication Agent for PAM is installed.
- Change to root:
sudo su - root
- Navigate to /etc/pam.d:
cd /etc/pam.d
- Make a copy of the sshd file:
cp ./sshd > ./sshd.rsabackup
- Using a text editor, edit /etc/pam.d/sshd:
vim /etc/pam.d/sshd
- Modify the file so the pam_securid.so value is as follows:
auth required pam_securid.so
- Navigate to /etc and make a copy of the sd_pam.conf:
cd /etc cp ./sd_pam.conf > ./sd_pam.conf.rsabackup
- Open the sd_pam.conf in a text editor:
vim /etc/sd_pam.conf
- Edit the sd_pam.conf to ignore users not in the SecurID challenge group. Here is where you configure the system to ignore users who are not challenged by SecurID; meaning if, from this same file, you excluded users or groups from SecurID authentication, then the SecurID PAM module will be transparent to them, and from the configuration in the previous file we see it will jump directly to the Unix system password challenge only.
- Edit those settings for excluding user(s) from SecurID authentication:
INCL_EXCL_USERS=1 LIST_OF_USERS=<someUser> PAM_IGNORE_SUPPORT_FOR_USERS=0
- This will challenge only the specific user(s) listed. After editing this entry, configure PAM_IGNORE_SUPPORT_FOR_USERS to NOT ignore users, thus the SecurID PAM module will be responsible for either SecurID two factor authentication or passwords, so also edit the following entry:
PAM_IGNORE_SUPPORT_FOR_USERS=0
Notes
Notes for Scenario 1
- The entry for pam_unix.so performs authentication with the usual Unix password files, /etc/passwd and /etc/shadow.
- For other flavors of Unix, the name of the pam_*.so file may change. An internet search for <OS> system password pam module will list other versions.
- The required entry means that all required modules in a stack must pass for a successful result. If one or more of the required module fails, all of the required modules in the stack are implemented, but the first error is returned.
- The two lines of auth required pam_securid.so and auth required pam_unix.so will have a user authenticate with their SecurID passcode and then their Linux system password.
Related Articles
Unexpected error from ACE/Agent API for RSA Authentication Agent for PAM Number of Views Testing the RSA Authentication Agent for PAM Module Number of Views Configuring RSA Authentication Agent 7.1 for PAM on SELinux Number of Views Managing the configuration files of an RSA Authentication Agent for Windows Number of Views How to stack a Unix authentication followed by SecurID prompt with the RSA Authentication Agent for PAM for SSH and Telnet… Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
