Unchallenged Active Directory users fail to authenticate with RSA Authentication Agent for PAM
a month ago
Originally Published: 2020-01-21
Article Number
000043725
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
Issue
When an unchallenged Active Directory user tries to authenticate to a Linux system protected using the RSA Authentication Agent for PAM, they are asked to provide a password. However, after entering the password, authentication fails even though the password is correct.  
Cause

The RSA MFA Agent 9.0 for PAM - Installation and Configuration Guide for Oracle Linux RHEL Ubuntu CentOS and Rocky Linux instructs administrators to comment all auth modules in the protected service and keep pam_securid.so as the only available auth module. This is shown in the example below:

#%PAM-1.0
auth	   required	pam_securid.so
#auth	   required	pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin


That is acceptable if the environment is dealing with internal Linux users, as pam_securid.so can handle both SecurID authentication and Linux authentication. However, when it gets to Active Directory users, pam_securid.so cannot handle Active Directory authentication. 
 

Resolution
The solution would be to add the module that can handle Active Directory authentication. Whether it would be pam_winbind.so, pam_sssd.so or some other module. That would depend on how Active Directory is integrated. After adding the needed module, stack them in a way to achieve the required output. Moreover, you must change the config of PAM to pass non-SecurID authentications to subsequent modules. 

This configuration authenticates the SecurID passcode first then the AD password for challenged users and only the AD password for unchallenged users. In this example, assume that AD integration is using WinBind.

  1. In /etc/sd_pam.conf, change both PAM_IGNORE_SUPPORT_FOR_USERS and PAM_IGNORE_SUPPORT to 1, as shown in bold: 
    #PAM_IGNORE_SUPPORT_FOR_USERS 
#              :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion support
#              :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support
# default value is 0
PAM_IGNORE_SUPPORT_FOR_USERS=1

#PAM_IGNORE_SUPPORT 
#              :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership
#              :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership
# default value is 0
PAM_IGNORE_SUPPORT=1
  2. In the protected module (for example, sshd /etc/pam.d/sshd), change the auth config to be as follows. 
    auth	   required	pam_securid.so	not_set_pass
auth	   required	pam_windbind.so	
#auth	   required	pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin
If you would like SecurID authenticated users not to be asked for their AD password, this can be achieved using PAM complex control values as shown below. However, these advanced control values are not supported on all Linux systems. Check your operating system documentation to know whether it is supported for your version.  
auth	   [success=done ignore=ignore default=die]  pam_securid.so  not_set_pass
auth	   required	pam_windbind.so	
#auth	   required	pam_sepermit.so
#auth       substack     password-auth
#auth       include      postlogin

Related Articles

Trending Articles

Don't see what you're looking for?