Sunday, September 11, 2011

How to configure RSA 2FA Authentication for AIX

This guide will record the way i have installed RSA's PAM Agent v7.0.0.484.10_12_10_05_06_01 on AIX 6.1 and AIX 7.1

Prepare the System

The RSA's PAM Agent requires the following
  • at least AIX 6.1 TL5 (SP2)
  • RSA Authentication v6.1.2, 7.1 SP2 or 7.1 SP3
  • sdconf.rec file from the RSA Authentication Manager and store it at /var/ace on the server.
The following tools are supported
  • telnet
  • login
  • rlogin
  • su
  • ssh, sftp, scp
  • sudo (at least v1.7.3)
You may have a 64bit OS, but as only 32-bit PAM agent binaries are available, therefore only 32-bit tools are supported. Configuration of Login control Enable PAM Authentication in AIX. Change the authentication method to PAM in /etc/security/login.cfg
usw:
        shells = ...  ...
        maxlogins = 32767
        logintimeout = 60
        maxroles = 8
        *auth_type = STD_AUTH
        auth_type = PAM_AUTH
The symbol * is used to comment the whole line as opposed to the usual # symbol.

Installation of PAM Agent

Go to the path where the PAM agent installer resides.
# tar -xvf PAM-Agent_v7.0.0.484.10_12_10_05_06_01.tar
# cd PAM-Agent_v7.0.0.484.10_12_10_05_06_01
# ./install_pam.sh
Provide the correct path to sdconf.rec and press For subsequent installation prompts, press to accept the default value, or enter appropriate value. Do check the "VAR_ACE" variable in /etc/sd_pam.conf file that it points to the correct location for sdconf.rec. Permission for sdconf.rec should be 600 and ownership root:root.

Configuration of PAM Control

Configure PAM to authenticate using BOTH the local PAM and RSA.
bash-3.2# grep sshd /etc/pam.conf 
sshd    auth    sufficient        pam_securid.so 
sshd    auth    required        pam_aix 
sshd    account sufficient        pam_securid.so 
sshd    account required        pam_aix 
sshd    password  sufficient      pam_securid.so 
sshd    password  required      pam_aix
sshd    session sufficient        pam_securid.so
sshd    session required        pam_aix

Configuration of RSA PAM Agent

Configure the RSA PAM Agent using group control and enable logging of the authentication at /etc/sd_pam.conf
Set "RSATRACELEVEL=1" for logging.
Set "RSATRACEDEST=/var/log/rsa_authlog" for the file to log to.
Set "ENABLE_GROUP_SUPPORT=1" to enable group support
Set "PAM_IGNORE_SUPPORT_FOR_USERS=0" to authenticate by UNIX if a user is not securid authenticated due to user exclusion support.
Set "INCL_EXCL_GROUPS=1" to prompt for securid authentication for the listed group
Set "LIST_OF_GROUPS=other:wheel:staff" for list of group
Set "PAM_IGNORE_SUPPORT=1" to authenticate by UNIX if a user is not securid authenticated due to their group membership.
Set "AUTH_CHALLENGE_PASSWORD_STR=Enter your UNIX PASSWORD :" to be clearer in asking for account password.
Enable logging of all RSA login via syslogd at /etc/syslog.conf
# AUTHENTICATION LOG
auth.info               /var/log/authlog rotate files 12 time 30d compress
Refresh syslogd to take effect
 # refresh -s syslogd

Configuration of SSHD

Edit the sshd configuration file at /etc/ssh/sshd_config.
Set "UsePAM yes" to use PAM authentication
Set "PasswordAuthentication no" to disable password authentication. We have set in pam.conf to authenticate.
Set "ChallengeResponseAuthentication yes"
Set "UsePrivilegeSeparation no"
Refresh the SSHD by restarting it.
# stopsrc -s sshd; startsrc -s sshd
# lssrc -s sshd
Please make sure you back up before changing any configuration files. You have been warned. If you messed up your AIX host, login through HMC and open up a terminal console.

Test

Communication with RSA server test
bash-3.2# /opt/pam/bin/32bit/acestatus

RSA ACE/Server Limits
---------------------
        Configuration Version : 14      Client Retries : 5
        Client Timeout : 5              DES Enabled : Yes

RSA ACE/Static Information
--------------------------
        Service : securid       Protocol : udp  Port Number : 5500

RSA ACE/Dynamic Information
---------------------------
        Server Release : 7.1.2.0        Communication : 5

RSA ACE/Server List
-------------------
        Server Name :           sec-server.com
        Server Address :        10.10.10.22
        Server Active Address : 10.10.10.22
        Master : Yes    Slave : No      Primary : Yes
        Usage : Available for Authentications
------------------------------------------------------------------------------
        Server Name :           sec-server2.com
        Server Address :        10.10.10.23
        Server Active Address : 10.10.10.23
        Master : No     Slave : No      Primary : No
        Usage : Available for Authentications
Basic RSA test using foo account
bash-3.2# /opt/pam/bin/32bit/acetest
Enter USERNAME: foo \
Enter PASSCODE:
Authentication successful.
RSA test using ssh protocol for account with membership to groups "wheel" or "staff"
~$ssh foo@myserver
Enter PASSCODE:
Last unsuccessful login: Tue May 10 14:09:32 SGT 2011 on ssh from 10.10.10.2
Last login: Tue May 10 14:17:54 SGT 2011 on /dev/pts/1 from 10.10.10.2
...
...
$ ^D
Connection to myserver closed.
Accounts that do not have membership to groups "wheel" or "staff" are authenticated "normally"
~$ssh appacct@myserver
Enter your UNIX PASSWORD:
Last unsuccessful login: Wed May 25 10:42:05 SGT 2011 on ssh from 10.10.10.2
Last login: Wed May 25 10:44:03 SGT 2011 on /dev/pts/2 from 10.10.10.2
…
…
When your PIN expires, RSA server will prompt you to change.
bash-3.2# ssh foo@myserver
Enter PASSCODE:
To continue you must enter a new PIN.
Are you ready to enter a new PIN? (y/n) [n]: y
Enter a new PIN of 8 alphanumeric characters:
Re-enter new PIN to confirm:
New PIN accepted, press enter to continue.
Enter PASSCODE:
Enter PASSCODE:
1 unsuccessful login attempt since last login.
Last unsuccessful login: Wed May 25 10:09:17 SGT 2011 on ssh
Last login: Wed May 25 10:07:58 SGT 2011 on /dev/pts/1 from 10.10.10.2
...
...

No comments: