[unisog] RSA SecurID with ESX

Jenkins, Matthew mjenkins7 at fairmontstate.edu
Thu Apr 13 12:48:49 GMT 2006


PAM looks to be configured correctly.  After observing the RSA logs, I
noticed when I attempt authentication at the VMWare web console that I
have one passcode accepted, and then an access denied, passcode
incorrect.  It looks like vmware-authd may be calling the SecurID module
twice.  I only have it in for auth.  I am using the pam_unix_acct for
account.

Matt

Matthew Jenkins
Network/Server Administrator
Fairmont State University
304.367.4955
AOL: MLJenkinsCom  Yahoo: mljenkins  ICQ: 8116624  MSN
Visit us online at www.fairmontstate.edu

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of David Bronder
Sent: Wednesday, April 12, 2006 7:48 PM
To: unisog at lists.sans.org
Subject: Re: [unisog] RSA SecurID with ESX

Jenkins, Matthew wrote:
> 
> Has anyone successfully gotten the SecurID Unix agent working with the
> ESX web login (vmware-authd)?  It seems to work fine with sshd;
however,
> I can't seen to get it working with the ESX web console.  I also
wasn't
> successful getting it working with local login.  It authenticates the
> user, however, the session immediately logs out after I attempt to
login
> to the local console.  Thanks,

I'm not a SecurID user, but did you verify that your PAM configuration
is correct?

We use pam_krb5 on our ESX servers.  We updated /etc/pam.d/system-auth
to call pam_krb5.so in the appropriate places, then updated the PAM
config for sshd, vmware-authd, sudo, etc. to call pam_stack.so with
service=system-auth so we can keep our specific pam_krb5 settings in
one place.

The default /etc/pam.d/vmware-authd config lists the PAM modules to use
explicitly.  Make sure the SecurID PAM module is listed there for both
auth and account, or make sure it's in the system-auth config and
change vmware-authd to this:

  #%PAM-1.0
  auth       required     /lib/security/pam_stack.so service=system-auth
  account    required     /lib/security/pam_stack.so service=system-auth


[ Another response mentioned issues with PAM, threading, and RHEL4.
  For reference, VMware ESX 2.x is based on RedHat 7.2.  ESX 3.0 is
  going to be based on RHEL3. ]

-- 
Hello World.                                    David Bronder - Systems
Admin
Segmentation Fault                                     ITS-SPA, Univ. of
Iowa
Core dumped, disk trashed, quota filled, soda warm.
david-bronder at uiowa.edu
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list