This guide will record the way i have installed RSA's PAM Agent v7.0.0.484.10_12_10_05_06_01 on AIX 6.1 and AIX 7.1
Prepare the System
The RSA's PAM Agent requires the following- at least AIX 6.1 TL5 (SP2)
- RSA Authentication v6.1.2, 7.1 SP2 or 7.1 SP3
- sdconf.rec file from the RSA Authentication Manager and store it at /var/ace on the server.
- telnet
- login
- rlogin
- su
- ssh, sftp, scp
- sudo (at least v1.7.3)
usw: shells = ...The symbol * is used to comment the whole line as opposed to the usual # symbol.... maxlogins = 32767 logintimeout = 60 maxroles = 8 *auth_type = STD_AUTH auth_type = PAM_AUTH
Installation of PAM Agent
Go to the path where the PAM agent installer resides.# tar -xvf PAM-Agent_v7.0.0.484.10_12_10_05_06_01.tar # cd PAM-Agent_v7.0.0.484.10_12_10_05_06_01 # ./install_pam.shProvide the correct path to sdconf.rec and press
Configuration of PAM Control
Configure PAM to authenticate using BOTH the local PAM and RSA.bash-3.2# grep sshd /etc/pam.conf
sshd auth sufficient pam_securid.so
sshd auth required pam_aix
sshd account sufficient pam_securid.so
sshd account required pam_aix
sshd password sufficient pam_securid.so
sshd password required pam_aix
sshd session sufficient pam_securid.so
sshd session required pam_aix
Configuration of RSA PAM Agent
Configure the RSA PAM Agent using group control and enable logging of the authentication at /etc/sd_pam.confSet "RSATRACELEVEL=1" for logging. Set "RSATRACEDEST=/var/log/rsa_authlog" for the file to log to. Set "ENABLE_GROUP_SUPPORT=1" to enable group support Set "PAM_IGNORE_SUPPORT_FOR_USERS=0" to authenticate by UNIX if a user is not securid authenticated due to user exclusion support. Set "INCL_EXCL_GROUPS=1" to prompt for securid authentication for the listed group Set "LIST_OF_GROUPS=other:wheel:staff" for list of group Set "PAM_IGNORE_SUPPORT=1" to authenticate by UNIX if a user is not securid authenticated due to their group membership. Set "AUTH_CHALLENGE_PASSWORD_STR=Enter your UNIX PASSWORD :" to be clearer in asking for account password.Enable logging of all RSA login via syslogd at /etc/syslog.conf
# AUTHENTICATION LOG auth.info /var/log/authlog rotate files 12 time 30d compressRefresh syslogd to take effect
# refresh -s syslogd
Configuration of SSHD
Edit the sshd configuration file at /etc/ssh/sshd_config.Set "UsePAM yes" to use PAM authentication Set "PasswordAuthentication no" to disable password authentication. We have set in pam.conf to authenticate. Set "ChallengeResponseAuthentication yes" Set "UsePrivilegeSeparation no"Refresh the SSHD by restarting it.
# stopsrc -s sshd; startsrc -s sshd # lssrc -s sshdPlease make sure you back up before changing any configuration files. You have been warned. If you messed up your AIX host, login through HMC and open up a terminal console.
Test
Communication with RSA server testbash-3.2# /opt/pam/bin/32bit/acestatus RSA ACE/Server Limits --------------------- Configuration Version : 14 Client Retries : 5 Client Timeout : 5 DES Enabled : Yes RSA ACE/Static Information -------------------------- Service : securid Protocol : udp Port Number : 5500 RSA ACE/Dynamic Information --------------------------- Server Release : 7.1.2.0 Communication : 5 RSA ACE/Server List ------------------- Server Name : sec-server.com Server Address : 10.10.10.22 Server Active Address : 10.10.10.22 Master : Yes Slave : No Primary : Yes Usage : Available for Authentications ------------------------------------------------------------------------------ Server Name : sec-server2.com Server Address : 10.10.10.23 Server Active Address : 10.10.10.23 Master : No Slave : No Primary : No Usage : Available for AuthenticationsBasic RSA test using foo account
bash-3.2# /opt/pam/bin/32bit/acetest Enter USERNAME: foo \ Enter PASSCODE: Authentication successful.RSA test using ssh protocol for account with membership to groups "wheel" or "staff"
~$ssh foo@myserver Enter PASSCODE: Last unsuccessful login: Tue May 10 14:09:32 SGT 2011 on ssh from 10.10.10.2 Last login: Tue May 10 14:17:54 SGT 2011 on /dev/pts/1 from 10.10.10.2 ... ... $ ^D Connection to myserver closed.Accounts that do not have membership to groups "wheel" or "staff" are authenticated "normally"
~$ssh appacct@myserver Enter your UNIX PASSWORD: Last unsuccessful login: Wed May 25 10:42:05 SGT 2011 on ssh from 10.10.10.2 Last login: Wed May 25 10:44:03 SGT 2011 on /dev/pts/2 from 10.10.10.2 … …When your PIN expires, RSA server will prompt you to change.
bash-3.2# ssh foo@myserver Enter PASSCODE: To continue you must enter a new PIN. Are you ready to enter a new PIN? (y/n) [n]: y Enter a new PIN of 8 alphanumeric characters: Re-enter new PIN to confirm: New PIN accepted, press enter to continue. Enter PASSCODE: Enter PASSCODE: 1 unsuccessful login attempt since last login. Last unsuccessful login: Wed May 25 10:09:17 SGT 2011 on ssh Last login: Wed May 25 10:07:58 SGT 2011 on /dev/pts/1 from 10.10.10.2 ... ...
No comments:
Post a Comment