RSA SecurID Submethod
RSA SecurID is a widely-used two-factor authentication method based on the use of SecurID Authenticator tokens. In SSH Tectia, support for RSA SecurID is enabled as a submethod of Keyboard-Interactive authentication.
Please familiarize yourself with the RSA ACE/Server (RSA Authentication Manager) documentation before reading further.
The prerequisite for enabling SecurID support in SSH Tectia Server is that RSA ACE/Agent (RSA Authentication Agent) software (installed also with ACE/Server installation) is installed on the host and that the SecurID user is able to authenticate using the RSA-provided sdshell program on this particular agent host. Note that on RSA ACE/Agent 5.x installations, the RSA-provided ACE/Agent library file is required. The operating-system-specific file can be found on the RSA ACE/Agent Authentication API 5.0.x CD-ROM provided with the RSA ACE/Server 5.0 and 5.1 distributions.
In the instructions below, the /top directory refers to the RSA ACE/Agent installation directory.
RSA SecurID Plugins
The SecurID plugins are automatically installed with the SSH Tectia Server (M) package. No separate installation is necessary.
In order to use the v5 SecurID plugin, the RSA-provided ACE/Agent library file has to be in the library path when the plugin is executed by SSH Tectia Server. A good way to make sure the v5 plugin finds the library is to create a symlink pointing to the library (assuming the library is in /ACEpath/lib/sol/libaceclnt.so):
$ ln -s /ACEpath/lib/sol/libaceclnt.so /usr/lib
The location of the library depends on the platform. Refer to your RSA ACE documentation.
Configuring SSH Tectia Server for SecurID Support
The server will allow all users to login using SecurID, when the keyboard-interactive authentication method and its submethod plugin are listed among the authentication methods and the AuthKbdInt.Plugin points to the appropriate plugin executable in the main server configuration file sshd2_config.
To enable RSA SecurID support on the server side, include the following lines in the /etc/ssh2/sshd2_config file:
AllowedAuthentications keyboard-interactive
...
AuthKbdInt.Optional plugin
AuthKbdInt.Plugin ssh-securidv5-plugin
|
The lines are valid for RSA ACE/Agent 5. For RSA ACE/Agent 4, the last line should be:
AuthKbdInt.Plugin ssh-securidv4-plugin
|
On the client side, include the following line in the /etc/ssh2/ssh2_config file:
AllowedAuthentications keyboard-interactive
|
In SSH Tectia Client, keyboard-interactive is allowed by default. Note that the Secure Shell client controls the order in which the authentication methods are attempted. The least interactive method should usually be listed first.
However, SSH Tectia Server controls the order of keyboard-interactive submethods. If several AuthKbdInt.Optional or AuthKbdInt.Required methods are listed in the sshd2_config file, they should be specified in the order you wish the client to attempt them.
Using SSH Tectia Server with the SecurID Plugin
Do the following:
- Check that the user's shell is not
/<top>/ace/prog/sdshell before you run the sshd2 daemon. This will prevent the user from authenticating twice with SecurID, first when logging in with Secure Shell and a second time when the user is allocated a shell. - Check that the
VAR_ACE environment variable is set and points to the directory that contains the sdconf.rec file). The variable has to be set before starting sshd2, and its value is typically /<top>/ace/data.
# export VAR_ACE=/<top>/ace/data
- In case RSA ACE/Agent 5.x is used, ensure that the shared library file
libaceclnt is found in the library path (for example, /usr/lib. Alternatively, you could add the directory to your /etc/ld.so.conf on platforms that use it). - Restart the server as instructed in Section Starting the Server.
Note: SSH Communications Security does not provide technical support on how to configure RSA ACE/Server. Our support only covers SSH Tectia applications.
