RSA SecurID Submethod
RSA SecurID is a widely-used two-factor authentication method based on the use of SecurID Authenticator tokens. In SSH Tectia, support for RSA SecurID is enabled as a submethod of Keyboard-Interactive authentication.
Please familiarize yourself with the RSA ACE/Server (RSA Authentication Manager) documentation before reading further.
The prerequisite for enabling SecurID support in SSH Tectia Server is that RSA ACE/Agent (RSA Authentication Agent) software (installed also with ACE/Server installation) is installed on the host and that the SecurID user is able to authenticate using the RSA-provided sdshell
program on this particular agent host. Note that on RSA ACE/Agent 5.x installations, the RSA-provided ACE/Agent library file is required. The operating-system-specific file can be found on the RSA ACE/Agent Authentication API 5.0.x CD-ROM provided with the RSA ACE/Server 5.0 and 5.1 distributions.
In the instructions below, the /top
directory refers to the RSA ACE/Agent installation directory.
RSA SecurID Plugins
The SecurID plugins are automatically installed with the SSH Tectia Server (M) package. No separate installation is necessary.
In order to use the v5 SecurID plugin, the RSA-provided ACE/Agent library file has to be in the library path when the plugin is executed by SSH Tectia Server. A good way to make sure the v5 plugin finds the library is to create a symlink pointing to the library (assuming the library is in /ACEpath/lib/sol/libaceclnt.so
):
$ ln -s /ACEpath/lib/sol/libaceclnt.so /usr/lib
The location of the library depends on the platform. Refer to your RSA ACE documentation.
Configuring SSH Tectia Server for SecurID Support
The server will allow all users to login using SecurID, when the keyboard-interactive
authentication method and its submethod plugin
are listed among the authentication methods and the AuthKbdInt.Plugin
points to the appropriate plugin executable in the main server configuration file sshd2_config
.
To enable RSA SecurID support on the server side, include the following lines in the /etc/ssh2/sshd2_config
file:
AllowedAuthentications keyboard-interactive
...
AuthKbdInt.Optional plugin
AuthKbdInt.Plugin ssh-securidv5-plugin
|
The lines are valid for RSA ACE/Agent 5. For RSA ACE/Agent 4, the last line should be:
AuthKbdInt.Plugin ssh-securidv4-plugin
|
On the client side, include the following line in the /etc/ssh2/ssh2_config
file:
AllowedAuthentications keyboard-interactive
|
In SSH Tectia Client, keyboard-interactive
is allowed by default. Note that the Secure Shell client controls the order in which the authentication methods are attempted. The least interactive method should usually be listed first.
However, SSH Tectia Server controls the order of keyboard-interactive submethods. If several AuthKbdInt.Optional
or AuthKbdInt.Required
methods are listed in the sshd2_config
file, they should be specified in the order you wish the client to attempt them.
Using SSH Tectia Server with the SecurID Plugin
Do the following:
- Check that the user's shell is not
/<top>/ace/prog/sdshell
before you run the sshd2
daemon. This will prevent the user from authenticating twice with SecurID, first when logging in with Secure Shell and a second time when the user is allocated a shell. - Check that the
VAR_ACE
environment variable is set and points to the directory that contains the sdconf.rec
file). The variable has to be set before starting sshd2
, and its value is typically /<top>/ace/data
.
# export VAR_ACE=/<top>/ace/data
- In case RSA ACE/Agent 5.x is used, ensure that the shared library file
libaceclnt
is found in the library path (for example, /usr/lib
. Alternatively, you could add the directory to your /etc/ld.so.conf
on platforms that use it). - Restart the server as instructed in Section Starting the Server.
Note: SSH Communications Security does not provide technical support on how to configure RSA ACE/Server. Our support only covers SSH Tectia applications.