LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-11-2012, 11:40 AM   #1
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 736

Rep: Reputation: 78
RSA SecurID Config Q


rhel 5.x

so, getting the RSA agent crud installed onto rhel, and, configuring PAM stack to use the securid.so is easy, but does each SecurID user need a local account (using useradd) before they can get a shell via SSH ?
 
Old 06-11-2012, 02:03 PM   #2
nickowen
LQ Newbie
 
Registered: Mar 2008
Posts: 18

Rep: Reputation: 0
Yes, unless the RSA agent has the capability to handle the account requests (not the case, I believe). Or you can use ldap.

As a side note, I would recommend against using the proprietary RSA .so. Instead, use pam-radius or pam-ldap. Pam-radius should be just as easy to set up and configure and you get the added benefit of being able to switch two-factor authentication providers without having to do make any changes on your hosts. Here is a doc on how to do it: http://www.wikidsystems.com/support/...-radius-how-to (written for our 2FA solution, but just ignore our bits).

The other benefit is including your directory in the authentication process for authorization. If you use radius, you can run send the transaction to AD or LDAP via the MS radius plugin NPS and Freeradius, respectively. This configuration means that any user that is disabled in the directory can no longer log in remotely either. You don't want to have to disable users in two places. Also, directory admins would not also need to be admins on your 2FA server.

HTH,

Nick
 
Old 06-11-2012, 03:28 PM   #3
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 736

Original Poster
Rep: Reputation: 78
yeah, well, unfortunately this RSA solution is provided as a managed security service and the service does not have ability to tie back into customer's AD. its something i wanted but simply cant have.

so, on each nix box a UID is created for the user and then "passwd -l uid" ??

is there a way to give SSH authenticated users (auth via RSA) a shell w/o having to create full local account on each system. the idea is to keep local accounts to a minimum, etc.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Security firm RSA offers to replace SecurID tokens Jeebizz Linux - News 0 06-07-2011 09:51 AM
DIY - RSA SecurID augurseer Linux - Hardware 6 02-25-2008 07:00 AM
VPN into Microsoft PPTP with RSA Securid. Simplest client solution. mikethefrog Linux - Networking 1 05-08-2006 09:33 AM
VPN into Microsoft PPTP using RSA Securid. Simplest Solution? mikethefrog Debian 0 05-08-2006 07:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration