As of PAM Agent version 8.1.2, installing the RSA SecurID authentication agent on Ubuntu versions 18.04 and 20.04 are supported. The installation is similar to that of SUSE linux. We recently had a requirement to add multifactor authentication to all of our servrs, so I installed this on all of them recently. It works very well so far.
Prepare to Install
I’m only going to install the agent on a single server at a time, as our environment isn’t that big. You can do a bulk install if you want, but I won’t cover that here. We’ll also be using the UDP protocol for authentication, not the REST protocol.
There are some requirements we need to get in order before we begin the install process.
Required files:
-
sdconf.rec - This file is specifies how the agent communicates with the primary and replica appliance instances by IP address.
In the console go to Access -> Authentication Agents -> Generate Configuration File
-
Server.cer - This is the certificate from the authentication manager server that allows agent auto-registration
In the console go to Access -> Authentication Agents -> Download Server Certificate File
-
Add a new Authentication Agent to RSA Security Console
In the console go to Access -> Authentication Agents -> Add New
Add the IP address or DNS name of the server here
Installation and Configuration
Now that we have all of the files we need to continue, let’s get to installing.
First thing we need to do is transfer the files to the server you’re working on. Use whatever file transfer process you like, personally I’ve been using WinSCP. Pick your poison.
-
We’ll need to make the directory where the configuration files we downloaded earlier will live. We’ll be using default locations for this guide. Directory name is /var/ace
mkdir /var/ace
-
We need to move sdconf.rec and server.cer to this folder.
mv sdconf.rec server.cer /var/ace
-
Create a file named sdopts.rec
vi /var/ace/sdopts.rec
Add line: CLIENT_IP=x.x.x.x Replace x.x.x.x with the IP of the server you’re installing on. In our case, CLIENT_IP=10.15.10.150
Save the file
-
Now let’s edit the sshd_config file. Below are the parameters we need to change:
vi /etc/ssh/sshd_config
UsePAM - Yes PasswordAuthentication No ChallengeResponseAuthentication Yes
systemctl restart sshd.service
-
Now we actually get to install the agent!
tar -xvf PAM-Agent_v8.1.3.139.04_19_21_01_39_13.tar cd PAM-Agent_v8.1.3.139.04_19_21_01_39_13 sudo ./install_pam.sh
I use all of the defaults going forward.
- Accept the EULA.
- Enter 0 to choose UDP protocol.
- Hit enter to use /var/ace as the default directory.
- Hit Enter to use /opt as the PAM agent install directory
-
Once the agent is installed, we need to add an option in the /etc/pam.d directory. We use MFA on SSH, so we’ll be configuring the SSH file in the pam.d directory
We want to add the line at the end of the sshd file! I had to do a bunch of trial and error on this one.
cd /etc/pam.d sudo vi sshd
Add line:
auth required pam_securid.so
With all that configuration done, you should be good to go. The good news is that we’ve only configured MFA for SSH, so if you lock yourself out you can always access it via console and troubleshoot. If you do lock yourself out, just remove the “auth required pam_securid.so” line you added in step 6.
Comments