SecureID RSA Authentication on Linux

How to Install SecureID RSA authentication.

What is RSA?

Thanks for stopping by turbogeek.co.uk, be sure to check out my other content by clicking here.

SecureID RSA Authentication access is essential in any IT deployment these days, RSA creates an additional layer of protection to your server infrastructure by adding multi-factor authentication. This guide focuses on RSA SSO (Single-Sign-On). To make a successful installation, you require 2 RSA appliances, preferably virtualized for added durability. Each of your servers will need to have the RSA Agent installed and configured to interact with your Appliance.

With a strong RSA authentication appliance, users can control their own access management using a mobile device or a downloaded RSA desktop application.

The RSA Secure ID access Agent is available for the following Operating Systems, Please note that Windows is supported, but I will be focusing on Linux only in this guide:

  • Red Hat Enterprise Linux (RHEL) RHEL 6.8 – 6.10 (32-bit and 64-bit)
  • RHEL 7.1 – 7.5 (64-bit)
  • CentOS CentOS 7.5 (64-bit)
  • Oracle Linux Oracle Linux 6.8 – 6.10 (64-bit)
  • Oracle Linux 7.3 – 7.5 (64-bit)
  • SUSE Enterprise Linux SUSE Enterprise Linux Server version 11 SP3 – SP4 (32-bit and 64-bit)
  • SUSE Enterprise Linux Server version 12 – 12 SP3 (64-bit)
  • SUSE Linux Enterprise Server 15 (64-bit)
  • Solaris Solaris SPARC 10 (32-bit and 64-bit). RSA recommends Update 8 or later.
  • Solaris SPARC 10.5 (32-bit and 64-bit) with Zones
  • Solaris SPARC 11.2 (32-bit and 64-bit)
  • Solaris x86 10.5 Update 11 (32-bit)
  • Solaris x86 11.2 (32-bit)
  • AIX AIX 7.1 TL3 (SP5) Power 6 (32-bit and 64-bit)
  • AIX 7.2 TL1 (SP2) Power 8 (32-bit and 64-bit)

How to install RSA SSO Agent on Linux Distributions

Please note : This process has been installed and tested on RedHat 6.9 (Santiago), RedHat 7.3 (Maipo) and CentOS 7.4.
This service allows for two-factor authentication using an RSA passcode and user password.

Step 1 – Installation Prerequisites:

Please take some time to read and understand the prerequisites of the RSA agent installation:

  • The User must have an account on the Linux Server
  • After Installation, changes must be made to the following files (outlined later), access via root or sudo privileged user:
Bash
/etc/ssh/sshd_config
/etc/pam.d/sshd
/etc/sd_pam.conf

Step 2 – Configure the RSA SecureID Authentication Server

Log onto your RSA Appliance server and complete the following tasks:

  • The LINUX server IP address MUST be manually added to the RSA Authentication server.
    (In the security console, click Access > Authentication Agents > Add New)

  • A copy of the RSA Authentication Manager certificate is required.
    (In the security console, click Access > Authentication Agents > Download Server Certificate File)

  • Generated Configuration File (AM_Config.zip) from the RSA Security Console.
    (In the security console, click Access > Authentication Agents > Generate Configuration File)

Please Note – To speed up the process I recommend unzipping the AM_Config.zip that is downloaded as part of the above tasks, do this before you transfer to the server

Step 3 – Transfer the Installation files and config to the Linux Server

Transfer your files to the Linux server. You may wish to do this using SCP or some form of FTP client, such as FileZilla or WinSCP. If you are using macOS, I recommend The Unarchiver

RSA PAM package (PAM-Agent_v8.0.0.195.11_23_17_04_55_23.tar)
(https://community.rsa.com/community/products/securid/authentication-agent-pam)

Step 4 – Prepare the Linux Server

Log onto the Linux server using SSH. Preferably with a sudo root account

Create /var/ace directory on the server host

Bash
mkdir /var/ace

Create the Authentication Manager configuration file, sdopts.rec

Bash
touch /var/ace/sdopts.rec

Add the server host IP address to the sdopts.rec

Bash
sudo vim /var/ace/sdopts.rec

The sdopts.rec file only needs one line

CLIENT_IP=x.x.x.x

where IP is the IP of the host machine

Copy the server.cer and sdconf.rec files to /var/ace folder

Bash
sudo cp server.cer sdconf.rec /var/ace

Install two packages to the server to ensure the RSA PAM package will work.

Bash
sudo yum install selinux-policy-devel
Bash
sudo yum install policycoreutils-python  

Please note – the second package (policycoreutils-python) should be installed as part of the install process of the first package.  This can be verified during the install process of the selinux-policy-devel package.

Step 5 – Install the PAM Authentication Agent

To Install Pam RSA Agent V8.0 or greater, browse to the downloaded path you set in Step 3 (for example,/tmp/)

Extract the PAM Agent tar file

Bash
tar xvf PAM-Agent_v8.0.0.195.11_23_17_04_55_23.tar

Navigate to the newly created folder and install the agent

For Example:

Bash
cd PAM-Agent_v8.0.0.195.11_23_17_04_55_23
sudo sh ./install_pam.sh

You will now be asked to accept a license agreement.  Scroll to the end of the agreement (space bar).  Type A to accept. Press RETURN.  During the installation, you will be asked a series of questions regarding the install path, authentication mode and

  1. Select which operation mode you would like to configure for authentication [0/1/2] :
    Choose option 0 (RSA Authentication Manager with the UDP Protocol)
  2. Enter Directory where sdconf.rec is located [/var/ace] :
    <RETURN> (the sdconf.rec file should be located in the /var/ace folder from previous step)
  3. Please enter the root path for the RSA Authentication Agent for PAM directory [/opt] :
    <RETURN>

Once successful, the install will output the following:


The RSA Authentication Agent for PAM 8.0.0 [195] will be installed in the /opt directory.

Bash
 pam/
 pam/conf/
 pam/conf/mfa_api_template.properties
 pam/conf/log.properties
 pam/lib/
 pam/lib/32bit/
 pam/lib/32bit/libpamrest32.so
 pam/lib/32bit/liblog4cxx.so.10.0.0
 pam/lib/32bit/pam_securid.so
 pam/lib/64bit/
 pam/lib/64bit/liblog4cxx.so.10.0.0
 pam/lib/64bit/libpamrest.so
 pam/lib/64bit/pam_securid.so
 pam/bin/
 pam/bin/32bit/
 pam/bin/32bit/acetest
 pam/bin/32bit/ns_conv_util
 pam/bin/32bit/acestatus
 pam/bin/64bit/
 pam/bin/64bit/acetest
 pam/bin/64bit/ns_conv_util
 pam/bin/64bit/acestatus

Checking /etc/sd_pam.conf:
VAR_ACE does not exist - entry will be appended
OPERATION_MODE does not exist - entry will be appended
RSATRACELEVEL does not exist - entry will be appended
RSATRACEDEST does not exist - entry will be appended
ENABLE_USERS_SUPPORT does not exist - entry will be appended
INCL_EXCL_USERS does not exist - entry will be appended
LIST_OF_USERS does not exist - entry will be appended
PAM_IGNORE_SUPPORT_FOR_USERS does not exist - entry will be appended
ENABLE_GROUP_SUPPORT does not exist - entry will be appended
INCL_EXCL_GROUPS does not exist - entry will be appended
LIST_OF_GROUPS does not exist - entry will be appended
PAM_IGNORE_SUPPORT does not exist - entry will be appended
AUTH_CHALLENGE_USERNAME_STR does not exist - entry will be appended
AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSCODE_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSWORD_STR does not exist - entry will be appended
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS does not exist - entry will be appended
Checking /var/ace/conf/mfa_api.properties:
REST_URL does not exist - entry will be appended
CLIENT_KEY does not exist - entry will be appended
CA_CERT_FILE_PATH does not exist - entry will be appended
CLIENT_ID does not exist - entry will be appended
CONNECT_TIMEOUT does not exist - entry will be appended
READ_TIMEOUT does not exist - entry will be appended
MAX_RETRIES does not exist - entry will be appended

*****************************************************************************
* You have successfully installed RSA Authentication Agent 8.0.0 [195] for PAM
*****************************************************************************

Please note:  If SELinux is enabled, the output may include SELinux-related information.

Elsewhere On TurboGeek:  How to Delete Files in Linux: The Ultimate Guide for Beginners (and Pros!)

Step 6 – Configure PAM

Change /etc/pam.d/sshd

Bash
vi /etc/pam.d/sshd

Add the following lines to the sshd

Bash
 auth      required              pam_securid.so 
 auth      required              pam_unix.so

 Using # rem out other auth required lines (for example)

Bash
auth                  required              pam_sepermit.so

Change the sshd_config file

Bash
vi /etc/ssh/sshd_config

Set the following parameters and save the changes:

Bash
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
UsePrivilegeSeparation no
**Please note: This file may look different with each version of Linux and also whether SELINUX is enabled **

Change the /etc/sd_pam.conf file

Bash
vi /etc/sd_pam.conf

Bash
ENABLE_USERS_SUPPORT=1
LIST_OF_USERS=root
PAM_IGNORE_SUPPORT_FOR_USERS=1
PAM_IGNORE_SUPPORT=1

Once you modified the above files restart the SSHD service

IMPORTANT NOTICE:

DO NOT close the terminal / SSH window!  If there is a misconfiguration you could potentially lock yourself out of the system altogether**

To restart the service in Red Hat 6

Bash
service sshd restart 

To restart the service in Red Hat 7

Bash
sudo systemctl restart sshd.service

Step 8 – Testing

During the installation, the PAM installer will add the following scripts to /opt/pam/bin/64bit:

Bash
./acestatus
./acetest
./ns_conv_util

To test the RSA Authentication module, type:

Bash
./acetest

You should be presented with:

Enter USERNAME:
(E.G Joe.Bloggs)

Enter PASSCODE:
(using your RSA soft token enter your PIN and generated CODE)

If all of the details are entered correctly, you should receive the following message.

Authentication Successful.

Step 9 – Live Tests

Once you have achieved a successful test status, open up a new SSH session to test the two-factor authentication.  During this phase, you should be asked to enter your:

USERNAME: PASSCODE : PASSWORD


You should now have gained access to the required server.

Troubleshooting:

If your testing was unsuccessful, please check the following logs

Cat or tail /var/log/secure to view the RSA logs

Bash
tail –f /var/log/secure

Review the entries within the log to ensure the details you enter are correct.

If your “live” login fails, the logs within the RSA Security Console can be reviewed using the Authentication Monitor.

Adding Exceptions:

There are many circumstances where you will need to give a user account an exception, such as the root account, a backup service or any other system service that needs sudo root access.

Note the entry within the /etc/sd_pam.conf file

Bash
vim /etc/sd_pam.conf

Look for the line

LIST_OF_USERS=root

This section allows you to enter system users that shouldn’t require two-factor authentication.  The above example shows the root user.  This is list can contain as many users as necessary

Important: Users must be separated by a colon :

For Example:

LIST_OF_USERS=root:nagios:contabuser

Certain system functions may require access to the root user (RSYNC for example), it would be beneficial to exclude this user.

That’s it, thanks for taking the time to read this article. if you have any questions or feedback please write in the comment section below.

Richard.Bailey

Richard Bailey, a seasoned tech enthusiast, combines a passion for innovation with a knack for simplifying complex concepts. With over a decade in the industry, he's pioneered transformative solutions, blending creativity with technical prowess. An avid writer, Richard's articles resonate with readers, offering insightful perspectives that bridge the gap between technology and everyday life. His commitment to excellence and tireless pursuit of knowledge continues to inspire and shape the tech landscape.

You may also like...

7 Responses

  1. Michael says:

    wanting to know if this will work with git? we have gitlab server and user wanting to use RSA secure ID with it.

    • No RSA doesnt work very well with CICD servers. You can implement MFA for your users to access the gitlab server, but it wouldnt be advisable to implement RSA on the server itself, simply because you will break all your pipelines. Instead, consider implementing something like OIDC which uses keys and passwords directly with your providers IAM configuration. Its the most secure way to achieve a secure gitlab server

  2. Josh says:

    Hey can you implement RSA on a Rhel8 system utilizing ldap. Meaning instead of just local users being challenged for MFA. A user that are connected through Active Directory also are challenged with secureID.

  1. 19/01/2023

    […] Looking for some more Linux reading, check out this RSA article on Linux. […]

  2. 26/09/2023

    […] Software solutions that integrate with business rules to create a customized MFA solution. Larger organizations may need to control their MFA authentication methods at source; as a result, custom servers are built in-house, typically with a token authentication factor. A popular example is RSA authentication. […]

  3. 04/12/2023

    […] Want to learn about RSA MFA Authentication from SecureID? Check out our other popular article here. […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »