Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Linux RH 6 server and have configured for 2 factor authentication. All was fine until this morning, when bunch of users tried to login. System is asking to change the password of his account.
I have changed the order of /etc/pam.d/system-auth, so 1st is pam_securid.so before pam_unix.so (please see below). I also rebooted the box but doesn't help.
if they are using ssh, would you not edit sshd.conf?
also as you are paying for RH support, then id contact RH as i can 100% they will have the answer much faster then I can. even their lowest support level is 24hr response via e-mail. you are paying for it, use it .
I have a Linux RH 6 server and have configured for 2 factor authentication. All was fine until this morning, when bunch of users tried to login. System is asking to change the password of his account.
So did he try to change his password? And did he succeed?
This sounds like password aging in /etc/shadow and not a reason to change PAM.
If the PAM settings interfered with his password change that would be another matter but you haven't said that.
I will open a case with RH support but I was hoping to find a quick answer here.
So yes, as an administrator, I manually changed his password and now, he can log back in using RSA SecurID but my confusion is with, if system-auth is looking for PAM authentication 1st, why would system look for password? Basically, I do not want user to use password at all ...login should happen only using PAM agent using SecurID.
If it's /etc/shadow, should I change /etc/login.defs and change password aging to be never?
my confusion is with, if system-auth is looking for PAM authentication 1st, why would system look for password?
You wrote earlier you were using two factor authentication. That is why it wants both a password and a passcode from the token. If you remove either of those you have one factor authentication.
"You wrote earlier you were using two factor authentication. That is why it wants both a password and a passcode from the token. If you remove either of those you have one factor authentication."
What I meant by 2 factor authentication is ...RSA SecureID token. It's a 2 factor authentication by itself. I do want to and don't need password authentication at all. At the same time, I don't want to disable password authentication all together. So best I thought was to prioritize in /etc/pam.d/system-auth file, so it will ask for SecurID authentication 1st and if it succeeds, won't ask for password. Maybe it's asking for change password because, password age limit has reached even though it continues authenticating using RSA SecurID. So once I change password againg never, it won't ask expire password and won't prompt for it. Sorry, if I wasn't clear on what I was looking for.
"You wrote earlier you were using two factor authentication. That is why it wants both a password and a passcode from the token. If you remove either of those you have one factor authentication."
What I meant by 2 factor authentication is ...RSA SecureID token. It's a 2 factor authentication by itself. I do want to and don't need password authentication at all. At the same time, I don't want to disable password authentication all together. So best I thought was to prioritize in /etc/pam.d/system-auth file, so it will ask for SecurID authentication 1st and if it succeeds, won't ask for password. Maybe it's asking for change password because, password age limit has reached even though it continues authenticating using RSA SecurID. So once I change password againg never, it won't ask expire password and won't prompt for it. Sorry, if I wasn't clear on what I was looking for.
I missed it earlier, but linosaurusroot is correct.
RSA is not 2-factor by itself. 2-factor auth is 2 parts:
1- Something you know (IE: password or PIN)
2- Something you don't (IE: RSA token/gemalto/Yubico/etc.)
The absence of either part of the above 2 factors makes your "2 factor" auth invalid.
Have you looked into whether one of these solutions would allow you to abandon a 2-factor model for RSA-only?
For RSA, you append the PIN onto the OTP, thus 2FA. Others, like google auth pam, do not allow it so you must use a password.
In general, I recommend you use pam-radius instead of proprietary plug-ins. Why? suppose you want to add two-factor authentication to your VPN? OpenVPN can use radius too. Same with Apache, and every business-class VPN. Same for every 2FA provider. So, if you want to switch from the expensive RSA tokens, you can without changing your PAM config.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.