long time user, first time poster..

I have approx 100 RHEL boxes I need to get TFA working on.

These are RHEL 6.9 boxes. There are no local users. Users are managed by PowerBrokerIdentityServies(PBIS). They are using the pam_lsass.so module and the old LikeWise agent.

I am trying to leverage the RSA PAM module pam_securid.so for SSHD auth. I followed their documentation to install the module and the agent. My Security team built the configs for me to add to the box and I can see traffic hitting their servers when I try to auth.

The first error I get is "Feb 20 11:11:11 15rcorev01 sshd[20683]: PAM _pam_load_conf_file: unable to open /etc/pam.d/pam_securid.so"
I have a ticket in with RSA about this as well.

Again, there are NO local users on the box.

Has anyone been able to leverage any TFA solutions on a Linux box with no 'local' users?

I am looking at testing GoogleAuthenticator and someone said there is a Microsoft Authenticator also, but haven't researched this one.

Decoupling PBIS is an option, but I still have to be able to manage my users with AD. I am looking at testing a winbind and or ldap config to manage users/groups via AD, but have not configured this yet.

Any thoughts would be appreciated.

That is saying pam_securid.so is not found in /etc/pam.d (or doesn't have permissions allowing it to be opened).

I wouldn't expect a .so (shared object/library) to be in /etc/pam.d. Typically such files are in a location like /lib64, /lib, /usr/lib64 or /usr/lib. You might want to check the documentation and see if the config file in pam.d should be specifying the .so in one of those directories. Also verify the file pam_securid.so IS in the directory specified.

NB: I haven't worked on what you're asking about but the above message stood out.

I agree. I tried moving the module there, but the errors were much worse. I took it out of the pam.d directory and made 'some' progress today by configuring only the sshd pam module. I used various parameters, and i do not receive the error anymore after creating a local user that matches my RSA username. I set it up with /sbin/nologin, but still no luck. Again, once I created a local user to match the RSA userID, the pam_securid.so error stopped. I contacted RSA, and there response so far is their module doesn't work well with RHEL 6.9, only RHEL 6.8.... SMH...
Any ideas welcome.
Thanks,
TJW

Not sure what you mean by "there" and "the module". I'm assuming there should be a pam CONFIGURATION file somewhere under /etc/pam.d. My point was your message shows it is looking for a shared object/library under /etc/pam.d which isn't where I'd expect it to be. I was suggesting your CONFIGURATION file is specifying the wrong location for the .so file.

Since I've not used the software you're talking about I can't be certain where the .so file should be but suggested likely alternatives.

So first things first:
Does the file pam_securid.so exists on your server? (find / -name pam_securid.so).
Where does it exist?
What permissions are on it?

I had tried copying the pam_securid.so to the /etc/pam.d/ directory for 'testing'. I agree that a shared object should not exist in that directory, but I wanted to see what it did and why. Regardless, that was not the main issue. The core issue is that I do not have a 'local' user to auth my RSA user against since PowerBroker is managing my users.

Yes, the .so file exists in /lib64/security/ as expected and perms are good. I created a local user to match the RSA userID and the 'unable to open pam_securid.so' message went away. What I found out today from RSA is they do not support RHEL 6.9. They support RHEL 6.8...

I was able to get the 'sudo' pam module to work with that RSA object, but that is not a solution for my requirements.

I am scrapping the idea of using RSA for TFA all together now, and will be researching FreeOTP for TFA.

I know that you can use ldap + https://duo.com/ + cisco anyconnect vpn to provide a TFA and secured cxn.