RSA SecurID Submethod

RSA SecurID is a widely-used two-factor authentication method based on the use of SecurID Authenticator tokens. In Tectia, support for RSA SecurID is enabled as a submethod of keyboard-interactive authentication.

The prerequisite for enabling SecurID support in Tectia Server is that RSA Authentication Agent software (previously RSA ACE/Agent) is installed on the server host.

Note

To enable SecurID support in Tectia Server on a 64-bit Windows server host, do the following:

Install the 32-bit RSA Authentication Agent on a 32-bit Windows system.
Copy the aceclnt.dll and sdmsg.dll files from the C:\Program Files\Common Files\RSA Shared\Auth Data directory and place the files on the 64-bit Windows server host in the C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia Server directory with the sdconf.rec file from the RSA Authentication Manager.
Add C:\Program Files (x86)\SSH Communications Security\SSH Tectia\SSH Tectia Server in the System Path of the Windows Environment Variables.

When RSA SecurID is used, Tectia Server queries the user for the token's numerical code and passes the code to RSA Authentication Agent for verification. RSA Authentication Agent then returns the success or failure of the authentication to Tectia Server.

RSA SecurID authentication provides two different authentication agents/:

RSA Authentication Agent for PAM (versions 5.3.4 and 6.0.0)
RSA Authentication Agent for UNIX (version 5.2 )

The Tectia Server configuration needs different settings depending on which RSA Authentication Agent is used. For configuration examples, see Configuring RSA Authentication Agent for Unix and Configuring RSA Authentication Agent for PAM.

To use SecurID authentication, you should be familiar with the operation of RSA Authentication Manager (previously RSA ACE/Server).

Configuring RSA Authentication Agent for Unix

For the SecurID authentication to work with Tectia Server on Unix, the RSA Authentication Agent libaceclnt.so library has to be available in the /usr/lib directory (alternatively /user/ace/lib or /opt/ace/lib).

The following example shows the settings required in the ssh-server-config.xml file for keyboard-interactive authentication using the SecurID submethod:

<authentication-methods>
  <authentication action="allow">
    <auth-keyboard-interactive max-tries="3" failure-delay="2">
      <submethod-securid />
    </auth-keyboard-interactive>
  ...
  </authentication>
</authentication-methods>

Giving the dll-path attribute is not required. Tectia Server locates the libraries automatically.

Configuring RSA Authentication Agent for PAM

When you want to use keyboard-interactive authentication using the RSA Authentication Agent for PAM, make the following settings in the ssh-server-config.xml file:

<authentication-methods>
  <authentication action="allow">
    <auth-keyboard-interactive>
      <submethod-pam />
    </auth-keyboard-interactive>
  ...
  </authentication>
</authentication-methods>

In addition, create a symlink for libpam as follows:

ln -s /lib/libpam.so.0 /lib/libpam.so

Create the /etc/pam.d/ssh-server-g3 file containing:

auth     required  /lib/security/pam_securid.so
acccount required  /lib/security/pam_pwdb.so
session  required  /lib/security/pam_pwdb.so

For more information, see the separate RSA SecurID Ready Implementation Guide for Tectia, available from the RSA web site (http://www.rsasecured.com/).

	Note
	SSH Communications Security does not provide technical support on how to configure RSA Authentication Manager (RSA ACE/Server). Our support only covers Tectia applications.