In recent months, a few customers have asked our Professional Services to help integrate RSA SecurID tokens with their implementation of Centrify Server Suite. I'm not here to argue the merits of MFA, in particular RSA SecurID, but if you want to read up on regulatory trends, Corey Williams's blog on "...PCI Multi-Factor Authentication is Now Required for Everyone..." gives you the highlights.
The focus of this quick tech blog is to give you the general steps necessary to install and configure DirectControl and RSA SecurID to enable two factor authentication (2FA) for a Linux environment.
First, follow the installation steps to install both Centrify DirectControl as well as SecurID agents. You must join your linux host to Active Directory as well as register your linux host with the SecurID management server. Make sure your linux host is part of a Centrify Zone. At this point, you should verify that a zoned enabled user can log in to the linux host using their AD credentials.
Next, you must edit the /etc/pam.d/system-auth file:
# lines inserted by Centrify Direct Control
auth required pam_securid.so #
auth sufficient pam_centrifydc.so
auth requisite pam_centrifydc.so deny
account sufficient pam_centrifydc.so
account requisite pam_centrifydc.so deny
session required pam_centrifydc.so homedir
password sufficient pam_centrifydc.so try_first_pass
password requisite pam_centrifydc.so deny
When the DirectControl agent is enabled, the pam_centrifydc.so lines are added to system-auth. In order to trigger SecurID to request a token, you must add the pam_securid.so line above.
Restart any authentication process that is able to read the PAM stack including SSHD. Most of the time, a process restart is not necessary.
Test the new configuration by using an ssh client to access the linux host. After entering an AD user name that has been zone enabled, you should be prompted first for the SecurID token then you will be prompted for an AD password.
Pretty easy to integrate Centrify DirectControl with RSA SecurID.
But that's not all.....
A lot of times, SecurID tokens are required only by certain user groups who are responsible for day to day privileged administration of the environment. For example, obtaining root level access on a linux box would require 2FA while a user switching to a service account by way of 'dzdo su - serviceaccount' might not require 2FA.
RSA supports the ability to require token authentication for users that are part of a certain unix group. Since Centrify can easily integrate AD groups at the linux OS level, let us run through the steps to configure this.
If you are planning to use an AD group, this AD group must be Zone enabled through Centrify. Additionally, you can choose to use a local unix group, but you must make sure you populate the zone enabled AD users into that local unix group.
Locate and edit the following lines in sd_pam.conf file provided by the SecurID agent installation:
#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
#INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid
# authentication (include)
# :: 0 to never prompt the listed groups for securid
# authentication (exclude)
#LIST_OF_GROUPS :: a list of groups to include or exclude...Example
Again, restart any authentication process that is able to read the PAM stack including SSHD. Most of the time, a process restart is not necessary. You can easily test this setup by logging in to the linux host with AD users that are part of the unix group that is required to use 2FA as well AD users that are not part of the same unix group. The latter should not be prompted for a SecurID token.
We only address linux hosts with the above setup. If you are interested in configuring Solaris or AIX for SecurID integration in conjunction with Centrify DirectControl or if you want to integrate SecurID with Centrify OpenSSH, follow the link to a Centrify white paper: "DirectControl and RSA SecurID"