RSA SecurID is a widely-used two-factor authentication method based on the use of SecurID Authenticator tokens. In SSH Tectia, support for RSA SecurID is enabled as a submethod of keyboard-interactive authentication.
The prerequisite for enabling SecurID support in SSH Tectia Server is that RSA Authentication Agent software (previously RSA ACE/Agent) is installed on the server host. When RSA SecurID is used, SSH Tectia Server queries the user for the token's numerical code and passes the code to RSA Authentication Agent for verification. RSA Authentication Agent then returns the success or failure of the authentication to SSH Tectia Server.
RSA SecurID authentication provides two different authentication agents/:
- RSA Authentication Agent for PAM (versions 5.3.4 and 6.0.0)
- RSA Authentication Agent for UNIX (version 5.2 )
The SSH Tectia Server configuration needs different settings depending on which RSA Authentication Agent is used. For configuration examples, see Configuring RSA Authentication Agent for Unix and Configuring RSA Authentication Agent for PAM.
To use SecurID authentication, you should be familiar with the operation of RSA Authentication Manager (previously RSA ACE/Server).
For the SecurID authentication to work with SSH Tectia Server on Unix, the RSA Authentication Agent
libaceclnt.so library has to be available in the
/usr/lib directory (alternatively
The following example shows the settings required in the
ssh-server-config.xml file for keyboard-interactive authentication using the SecurID submethod:
<authentication-methods> <authentication action="allow"> <auth-keyboard-interactive max-tries="3" failure-delay="2"> <submethod-securid /> </auth-keyboard-interactive> ... </authentication> </authentication-methods>
dll-path attribute is not required. SSH Tectia Server locates the libraries automatically.
When you want to use keyboard-interactive authentication using the RSA Authentication Agent for PAM, make the following settings in the
<authentication-methods> <authentication action="allow"> <auth-keyboard-interactive> <submethod-pam /> </auth-keyboard-interactive> ... </authentication> </authentication-methods>
In addition, create a symlink for
libpam as follows:
ln -s /lib/libpam.so.0 /lib/libpam.so
/etc/pam.d/ssh-server-g3 file containing:
auth required /lib/security/pam_securid.so acccount required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.so
For more information, see the separate RSA SecurID Ready Implementation Guide for SSH Tectia, available from the RSA web site (http://www.rsasecured.com/).
SSH Communications Security does not provide technical support on how to configure RSA Authentication Manager (RSA ACE/Server). Our support only covers SSH Tectia applications.