RSA SecurID Config Q
 

rhel 5.x

so, getting the RSA agent crud installed onto rhel, and, configuring PAM stack to use the securid.so is easy, but does each SecurID user need a local account (using useradd) before they can get a shell via SSH ?

Yes, unless the RSA agent has the capability to handle the account requests (not the case, I believe). Or you can use ldap.

As a side note, I would recommend against using the proprietary RSA .so. Instead, use pam-radius or pam-ldap. Pam-radius should be just as easy to set up and configure and you get the added benefit of being able to switch two-factor authentication providers without having to do make any changes on your hosts. Here is a doc on how to do it: http://www.wikidsystems.com/support/...-radius-how-to (written for our 2FA solution, but just ignore our bits).

The other benefit is including your directory in the authentication process for authorization. If you use radius, you can run send the transaction to AD or LDAP via the MS radius plugin NPS and Freeradius, respectively. This configuration means that any user that is disabled in the directory can no longer log in remotely either. You don't want to have to disable users in two places. Also, directory admins would not also need to be admins on your 2FA server.

HTH,

Nick

yeah, well, unfortunately this RSA solution is provided as a managed security service and the service does not have ability to tie back into customer's AD. its something i wanted but simply cant have.

so, on each nix box a UID is created for the user and then "passwd -l uid" ??

is there a way to give SSH authenticated users (auth via RSA) a shell w/o having to create full local account on each system. the idea is to keep local accounts to a minimum, etc.