Hi All,

I am in the process of testing RSA authentication using a sample pack from EMC. We have a Windows 2008R2 and Linux network. I have set up the RSA manager and have also set up a test Windows PC for testing and have also modified the DC. All works fine in the Windows environment. I can login with just a domain password for non-challenged user and can also login with passcode and then domain password for challenged user.

I have also setup a RHEL 5.4 box for testing. I have joined it to the Windows domain and can login as a domain users using domain credentials. I then tried setting up the RSA bit and have it working as follows:

1. I can SSH into it as root (using the reserve parameter).
2. I can SSH into it as a challenged user using the passcode only.
3. However, I cannot login as an un-challenged user. It keeps asking for password (with the prompt as specified in the sp_pam.conf file.

Ideally, I would like the Linux version to work the same as the Windows PC version and can deal with no root access. I just cannot seem to get the pam.d/sshd file configured correctly.

The following sshd file allows the root and challenged user to login (without domain password, just passcode):
The following sshd file does not allow root to login but does work with challenged users' passcode followed by domain password:
Can anyone suggest what configuration will allow non-challenged users to login with domain password and challenged users to login with passcode, followed by domain password?

Thanks in advance,

Vlad

Got it working. Had PasswordAuthentication set to yes in sshd_config.

I spoke too soon. Basically password authentication fails for non secured challenged user. domain credentials work without SecurID for all users but fails with SecurID for non-challenged users.

Anyone know how to fix this? Basically, it seems that for non-challenged users, it is performing Linux authentication (hence works for root as I have reserve keyword) so fails for domain users.

TIA,
Vlad

I set something like this up awhile back (although it was with user credentials stored in LDAP instead of AD). I did something like the following in my PAM stack:

Basically, what I wanted to do was require administrators who can use su/sudo (which are in group wheel) to use two factor authentication while non-admin users can just use their regular password. If you would want everyone to use RSA authentication you would remove the pam_succeed_if line. We access our LDAP authentication via sssd, so the basic logic of this PAM stack is that if the user can authenticate either by *nix login credentials (for a couple special-purpose accounts) or through sssd (which calls LDAP and could call AD too, if we wanted to go that route) then they skip over the pam_deny. Otherwise, that pam_deny line boots them off. Then, if they're not in the wheel group, they get let in, otherwise they have to use the RSA SecurID token.

Note: we use pam_securid rather than pam_loginuid, as this was what I found in the (IMO rather confusing and convoluted) RSA documentation when this was set up.

For anyone with this issue in the future, I got it working. I went to RHEL 6.5 as well. I had to set the User and Group support in the sd_pam.conf to 1 to return PAM_IGNORE. I then configured sshd to auth pam_securid.so first, followed by auth pam_unix.so try_first_pass and finally followed by auth pam_winbind use_first_pass. This way, challenged domain users login with passcode, non-challenged domain users loging with domain password and local users (like root) login with their local credentials.