The Pre-Requisites:
- OS CentOS 5
- RSA Authentication Agent for PAM 6.0
- RSA Agent Host record configured
First, we make the VAR_ACE directory:
Centos # mkdir /var/ace
Centos # chown root:root /var/ace
Centos # chmod 700 /var/ace
Next we create the install directory under /opt (optional)
Centos # mkdir /opt/ace
Centos # chown root:root /var/ace
Now we install the Authentication Agent:
Centos # VAR_ACE=/var/ace; export VAR_ACE
Centos # tar xf AuthenticationAgent_60_PAM_95_060308.tar
Centos # ./install.sh
Follow the prompts, answering as necessary. At this point you should run a quick test to ensure SecurID is installed and working:
Centos# /opt/ace/pam/bin/acetest
Enter USERNAME:
Enter PASSCODE:
Authentication successful.
Centos #
Now we need to configure the SSHD to use SecureID:
Centos # vi /etc/pam.d/ssh
We comment out the first line:
#auth include system-auth
And add the following line:
auth required pam_securid.so
At this point, if you attempt to ssh in to the system you will NOT be able to. Looking at the logs you should see something like:
Oct 8 12:36:28 centos sshd[26923]: PAM [error: /lib/security/pam_securid.so: cannot restore segment prot after reloc: Permission denied]
Oct 8 12:36:28 centos sshd[26923]: PAM adding faulty module: /lib/security/pam_securid.so
A quick google search will show you that this is due to the SELinux enforcing. Now there are two options:
1) Shutdown SELinux: /usr/sbin/setenforce 0
2) Properly configure enforcement profile for the PAM module
Centos # ls --scontext /lib/security/pam_securid.so
system_u:object_r:ib_t /lib/security/pam_securid.so
To work properly the pam_securid module needs access to text relocation. To do this we add it to the correct profile for text relocation:
Centos # chcon -t texrel_shlib_t pam_securid.so
Centos # ls --scontext /lib/security/pam_securid.so
system_u:object_r:textrel_shlib_t /lib/security/pam_securid.so
Once that is done, you should be up and running with SecurID for SSH access
