LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices


Reply
  Search this Thread
Old 02-20-2018, 03:55 PM   #1
rennen
LQ Newbie
 
Registered: Mar 2007
Location: Texas
Distribution: RHEL
Posts: 3

Rep: Reputation: 0
RHEL 6.9 PowerBroker and RSA for Two-Factor Auth - setup


long time user, first time poster..

I have approx 100 RHEL boxes I need to get TFA working on.

These are RHEL 6.9 boxes. There are no local users. Users are managed by PowerBrokerIdentityServies(PBIS). They are using the pam_lsass.so module and the old LikeWise agent.

I am trying to leverage the RSA PAM module pam_securid.so for SSHD auth. I followed their documentation to install the module and the agent. My Security team built the configs for me to add to the box and I can see traffic hitting their servers when I try to auth.

The first error I get is "Feb 20 11:11:11 15rcorev01 sshd[20683]: PAM _pam_load_conf_file: unable to open /etc/pam.d/pam_securid.so"
I have a ticket in with RSA about this as well.

Again, there are NO local users on the box.

Has anyone been able to leverage any TFA solutions on a Linux box with no 'local' users?

I am looking at testing GoogleAuthenticator and someone said there is a Microsoft Authenticator also, but haven't researched this one.

Decoupling PBIS is an option, but I still have to be able to manage my users with AD. I am looking at testing a winbind and or ldap config to manage users/groups via AD, but have not configured this yet.

Any thoughts would be appreciated.
 
Old 02-21-2018, 09:21 AM   #2
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
Quote:
unable to open /etc/pam.d/pam_securid.so
That is saying pam_securid.so is not found in /etc/pam.d (or doesn't have permissions allowing it to be opened).

I wouldn't expect a .so (shared object/library) to be in /etc/pam.d. Typically such files are in a location like /lib64, /lib, /usr/lib64 or /usr/lib. You might want to check the documentation and see if the config file in pam.d should be specifying the .so in one of those directories. Also verify the file pam_securid.so IS in the directory specified.

NB: I haven't worked on what you're asking about but the above message stood out.
 
Old 02-21-2018, 12:13 PM   #3
rennen
LQ Newbie
 
Registered: Mar 2007
Location: Texas
Distribution: RHEL
Posts: 3

Original Poster
Rep: Reputation: 0
I agree. I tried moving the module there, but the errors were much worse. I took it out of the pam.d directory and made 'some' progress today by configuring only the sshd pam module. I used various parameters, and i do not receive the error anymore after creating a local user that matches my RSA username. I set it up with /sbin/nologin, but still no luck. Again, once I created a local user to match the RSA userID, the pam_securid.so error stopped. I contacted RSA, and there response so far is their module doesn't work well with RHEL 6.9, only RHEL 6.8.... SMH...
Any ideas welcome.
Thanks,
TJW
 
Old 02-21-2018, 02:59 PM   #4
MensaWater
LQ Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
Blog Entries: 15

Rep: Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668Reputation: 1668
Not sure what you mean by "there" and "the module". I'm assuming there should be a pam CONFIGURATION file somewhere under /etc/pam.d. My point was your message shows it is looking for a shared object/library under /etc/pam.d which isn't where I'd expect it to be. I was suggesting your CONFIGURATION file is specifying the wrong location for the .so file.

Since I've not used the software you're talking about I can't be certain where the .so file should be but suggested likely alternatives.

So first things first:
Does the file pam_securid.so exists on your server? (find / -name pam_securid.so).
Where does it exist?
What permissions are on it?
 
Old 02-21-2018, 05:22 PM   #5
rennen
LQ Newbie
 
Registered: Mar 2007
Location: Texas
Distribution: RHEL
Posts: 3

Original Poster
Rep: Reputation: 0
I had tried copying the pam_securid.so to the /etc/pam.d/ directory for 'testing'. I agree that a shared object should not exist in that directory, but I wanted to see what it did and why. Regardless, that was not the main issue. The core issue is that I do not have a 'local' user to auth my RSA user against since PowerBroker is managing my users.

Yes, the .so file exists in /lib64/security/ as expected and perms are good. I created a local user to match the RSA userID and the 'unable to open pam_securid.so' message went away. What I found out today from RSA is they do not support RHEL 6.9. They support RHEL 6.8...

I was able to get the 'sudo' pam module to work with that RSA object, but that is not a solution for my requirements.

I am scrapping the idea of using RSA for TFA all together now, and will be researching FreeOTP for TFA.
 
Old 02-21-2018, 10:55 PM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 7.7 (?), Centos 8.1
Posts: 17,847

Rep: Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584Reputation: 2584
I know that you can use ldap + https://duo.com/ + cisco anyconnect vpn to provide a TFA and secured cxn.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
TACACS+ and two factor authentication using RSA tokens jmassengill Linux - Software 0 01-14-2014 07:44 PM
RSA SecurID: RSA Web Agent, integration of RSA auth page Linux_Kidd General 1 08-28-2013 05:59 PM
PAM help (multi-factor SSH auth using RADIUS and LDAP) jg141 Linux - Security 0 04-17-2012 12:30 PM
SSH Rsa Auth fail... eluzi Linux - Security 4 03-13-2006 12:50 PM
SSH RSA Auth lil_drummaboy Linux - Networking 2 11-27-2005 06:42 PM

LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise

All times are GMT -5. The time now is 07:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration