I have a Linux RH 6 server and have configured for 2 factor authentication. All was fine until this morning, when bunch of users tried to login. System is asking to change the password of his account.

I have changed the order of /etc/pam.d/system-auth, so 1st is pam_securid.so before pam_unix.so (please see below). I also rebooted the box but doesn't help.

auth required pam_env.so
auth sufficient pam_securid.so
auth sufficient pam_unix.so try_first_pass

Is there any other file I need to modify?

Thanks for your help.

if they are using ssh, would you not edit sshd.conf?

also as you are paying for RH support, then id contact RH as i can 100% they will have the answer much faster then I can. even their lowest support level is 24hr response via e-mail. you are paying for it, use it .

So did he try to change his password? And did he succeed?

This sounds like password aging in /etc/shadow and not a reason to change PAM.

If the PAM settings interfered with his password change that would be another matter but you haven't said that.

1 members found this post helpful.

I will open a case with RH support but I was hoping to find a quick answer here.

So yes, as an administrator, I manually changed his password and now, he can log back in using RSA SecurID but my confusion is with, if system-auth is looking for PAM authentication 1st, why would system look for password? Basically, I do not want user to use password at all ...login should happen only using PAM agent using SecurID.

If it's /etc/shadow, should I change /etc/login.defs and change password aging to be never?

I think linosaurusroot is right.

I believe the login.defs setting is 'PASS_MAX_DAYS 99999'.

There may yet be another setting that needs to be changed in pam, but I'm unsure at the moment.

You wrote earlier you were using two factor authentication. That is why it wants both a password and a passcode from the token. If you remove either of those you have one factor authentication.

1 members found this post helpful.

"You wrote earlier you were using two factor authentication. That is why it wants both a password and a passcode from the token. If you remove either of those you have one factor authentication."

What I meant by 2 factor authentication is ...RSA SecureID token. It's a 2 factor authentication by itself. I do want to and don't need password authentication at all. At the same time, I don't want to disable password authentication all together. So best I thought was to prioritize in /etc/pam.d/system-auth file, so it will ask for SecurID authentication 1st and if it succeeds, won't ask for password. Maybe it's asking for change password because, password age limit has reached even though it continues authenticating using RSA SecurID. So once I change password againg never, it won't ask expire password and won't prompt for it. Sorry, if I wasn't clear on what I was looking for.

I missed it earlier, but linosaurusroot is correct.

RSA is not 2-factor by itself. 2-factor auth is 2 parts:

1- Something you know (IE: password or PIN)
2- Something you don't (IE: RSA token/gemalto/Yubico/etc.)

The absence of either part of the above 2 factors makes your "2 factor" auth invalid.

Have you looked into whether one of these solutions would allow you to abandon a 2-factor model for RSA-only?

http://www.emc.com/security/rsa-secu...ts/pam-7-1.htm

For RSA, you append the PIN onto the OTP, thus 2FA. Others, like google auth pam, do not allow it so you must use a password.

In general, I recommend you use pam-radius instead of proprietary plug-ins. Why? suppose you want to add two-factor authentication to your VPN? OpenVPN can use radius too. Same with Apache, and every business-class VPN. Same for every 2FA provider. So, if you want to switch from the expensive RSA tokens, you can without changing your PAM config.

here's a pam-radius how-to: https://www.wikidsystems.com/support...-radius-how-to.