RHEL 6.9 PowerBroker and RSA for Two-Factor Auth - setup
Linux - EnterpriseThis forum is for all items relating to using Linux in the Enterprise.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
RHEL 6.9 PowerBroker and RSA for Two-Factor Auth - setup
long time user, first time poster..
I have approx 100 RHEL boxes I need to get TFA working on.
These are RHEL 6.9 boxes. There are no local users. Users are managed by PowerBrokerIdentityServies(PBIS). They are using the pam_lsass.so module and the old LikeWise agent.
I am trying to leverage the RSA PAM module pam_securid.so for SSHD auth. I followed their documentation to install the module and the agent. My Security team built the configs for me to add to the box and I can see traffic hitting their servers when I try to auth.
The first error I get is "Feb 20 11:11:11 15rcorev01 sshd[20683]: PAM _pam_load_conf_file: unable to open /etc/pam.d/pam_securid.so"
I have a ticket in with RSA about this as well.
Again, there are NO local users on the box.
Has anyone been able to leverage any TFA solutions on a Linux box with no 'local' users?
I am looking at testing GoogleAuthenticator and someone said there is a Microsoft Authenticator also, but haven't researched this one.
Decoupling PBIS is an option, but I still have to be able to manage my users with AD. I am looking at testing a winbind and or ldap config to manage users/groups via AD, but have not configured this yet.
That is saying pam_securid.so is not found in /etc/pam.d (or doesn't have permissions allowing it to be opened).
I wouldn't expect a .so (shared object/library) to be in /etc/pam.d. Typically such files are in a location like /lib64, /lib, /usr/lib64 or /usr/lib. You might want to check the documentation and see if the config file in pam.d should be specifying the .so in one of those directories. Also verify the file pam_securid.so IS in the directory specified.
NB: I haven't worked on what you're asking about but the above message stood out.
I agree. I tried moving the module there, but the errors were much worse. I took it out of the pam.d directory and made 'some' progress today by configuring only the sshd pam module. I used various parameters, and i do not receive the error anymore after creating a local user that matches my RSA username. I set it up with /sbin/nologin, but still no luck. Again, once I created a local user to match the RSA userID, the pam_securid.so error stopped. I contacted RSA, and there response so far is their module doesn't work well with RHEL 6.9, only RHEL 6.8.... SMH...
Any ideas welcome.
Thanks,
TJW
Not sure what you mean by "there" and "the module". I'm assuming there should be a pam CONFIGURATION file somewhere under /etc/pam.d. My point was your message shows it is looking for a shared object/library under /etc/pam.d which isn't where I'd expect it to be. I was suggesting your CONFIGURATION file is specifying the wrong location for the .so file.
Since I've not used the software you're talking about I can't be certain where the .so file should be but suggested likely alternatives.
So first things first:
Does the file pam_securid.so exists on your server? (find / -name pam_securid.so).
Where does it exist?
What permissions are on it?
I had tried copying the pam_securid.so to the /etc/pam.d/ directory for 'testing'. I agree that a shared object should not exist in that directory, but I wanted to see what it did and why. Regardless, that was not the main issue. The core issue is that I do not have a 'local' user to auth my RSA user against since PowerBroker is managing my users.
Yes, the .so file exists in /lib64/security/ as expected and perms are good. I created a local user to match the RSA userID and the 'unable to open pam_securid.so' message went away. What I found out today from RSA is they do not support RHEL 6.9. They support RHEL 6.8...
I was able to get the 'sudo' pam module to work with that RSA object, but that is not a solution for my requirements.
I am scrapping the idea of using RSA for TFA all together now, and will be researching FreeOTP for TFA.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.