Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better

Installation of SecurID Client on Suse

News SecurID

Recommended Links

PAM (Pluggable authentication modules) Linux PAM Humor Etc

For Suse 10 SP1 64-bit you need version 6 of the RSA PAM agent.  Please note that, as usual, RSA Installation guide is junk and you need to guess a lot of things to understand the technology.  Thanks God the installation script is just a Borne shell script and reading it can clarify a lot of things

Here are the steps:

Get the latest version of Ace agent from RSA site

As of Jan 2010 the latest version is still AuthenticationAgent_60_PAM_95_060308.tar

Untar files in a newly created directory

Untar SecurID client into installation directory, created, for example, your home directory.  For example

mkdir aceclient && cd aceclient

tar xvf ../AuthenticationAgent_60_PAM_95_060308.tar

Copy sdconf.rec

1. Copy the file sdconf.rec from its usual location on the ACE/Server ( /ACE/data) to the SecurID client  configuration directory (for example /var/ace).  You can also copy it from any working client (usually at /var/ace)

# mkdir /var/ace
# cp ../sdconf.rec /var/ace
# ll /var/ace
total 4
-rw-r--r-- 1 root root 1024 Jan 25 11:10 sdconf.rec

2. Important: Verify that checksum is correct with the checksum on the server that works (that helps to detect accidental errors like transferring file in text mode, getting wrong file, etc. )

# cksum sdconf.rec
2006481408 1024 sdconf.rec

Note: The installation script assumes by default that the location of  sdconf.rec. The default is recoded in the variable  VAR_ACE. You can also change the default value in the installation script to, say, /etc/ace which probably would be more logical or /opt/ace:

if [ ! -n "$VAR_ACE" ]; then

Run script

1. Create target directory, for example /opt/ace.

mkdir /opt/ace

2. Run script and answer the question. Be careful when specifying target directory (no editing is available, you need to cancel the script is you made a typo).  


... ... ... 

Do you accept the License Terms and Conditions stated above? (Accept/Decline) [D]A

Enter Directory where sdconf.rec is located [/var/ace]

Please enter the root path for the RSA Authentication Agent for PAM directory [/opt]

Note: The script will also copy to /lib64/security or /lib/security depending whether you are using 64-bit or 32-bit Linux 

The RSA Authentication Agent for PAM will be installed in the /opt/ace directory.
Checking /etc/sd_pam.conf:

VAR_ACE does not exist - entry will be appended
ENABLE_GROUP_SUPPORT does not exist - entry will be appended
INCL_EXCL_GROUPS does not exist - entry will be appended
LIST_OF_GROUPS does not exist - entry will be appended
PAM_IGNORE_SUPPORT does not exist - entry will be appended
AUTH_CHALLENGE_USERNAME_STR does not exist - entry will be appended
AUTH_CHALLENGE_RESERVE_REQUEST_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSCODE_STR does not exist - entry will be appended
AUTH_CHALLENGE_PASSWORD_STR does not exist - entry will be appended

* You have successfully installed RSA Authentication Agent 6.0 for PAM
Note the last step is the creation of  /etc/sd_pam.conf  file
#VAR_ACE ::  the location where the sdconf.rec, sdstatus.12 and securid files will go

#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support

#INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid authentication (include)
#                 :: 0 to never prompt the listed groups for securid authentication (exclude)

#LIST_OF_GROUPS :: a list of groups to include or exclude...Example

#PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership
#                   :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership

#AUTH_CHALLENGE_USERNAME_STR :: prompt message to ask user for their username/login id

#AUTH_CHALLENGE_RESERVE_REQUEST_STR :: prompt message to ask administrator for their System password
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :

#AUTH_CHALLENGE_PASSCODE_STR :: prompt message to ask user for their Passcode

#AUTH_CHALLENGE_PASSWORD_STR :: prompt message to ask user for their Password

Test connectivity to the server

  1. Cd to /opt/ace/pam/bin
  2. Detect target ACe server by running command ./acestatus, for example
    # ./acestatus
    RSA ACE/Server Limits
    Configuration Version : 14 Client Retries : 5
    Client Timeout : 5 DES Enabled : Yes
    RSA ACE/Static Information
    Service : securid Protocol : udp Port Number : 5500
    RSA ACE/Dynamic Information
    Server Release : N/A Communication : 5
    RSA ACE/Server List
    Server Name : AUTHMGR
    Server Address :
    Server Active Address :
    Master : Yes Slave : No Primary : Yes
    Usage : Default Server during initial requests
  3. Ping the target ACE server. If it is behind firewall or your server has a firewall enabled make sure that the port is opened.
  4. Important: Ask your Ace server administrator to add the server to the list of clients  (Important: this requires access to Ace server console).
  5. Try ./acetest  If the Ace server admin did his job, you should be able to connect
  6. If  test failed with the message

    # ./acetest
    Cannot communicate with the ACE/Server.

    That the server specified in your sdconf.rec file is probably incorrent or down.

    If you get prompt Enter USERNAME:  then the server has been found sucessfully.

    Enter PASSCODE:
    Unexpected error from ACE/Agent API.


Configure PAM

Suse has a convoluted PAM setup, with the typical for Suse and other Linux distribution perversion of using to many files and too many includes.  So modifying it for SecureID is far from being a straightforward exersize.

In the typical installation you usually want to use SecurID for all daemons except SSH (where certificates provide same level of security without paying exorbitant amount of money to RSA ;-)

There are many ways to achieve that. The one that we recommend is to modify login by commenting out three lines which are show below in green and adding  the line auth required at the top:

auth required
#auth required
#auth include common-auth
#auth required

account include common-account 
# this is just account required
password include common-password
session include common-session
session required nowtmp
session required
session optional standard

If you in addition comment out common-password or make "requisite" instead of "required" you will lose ability to use regular passwords which is useful for selected group of users (usually wheel group).

Note 1: commented out "include" common-auth contains just two lines

auth required
auth required

Note 2:  include common-password also contains two lines (plus one commented out line):

password required  nullok
password required    nullok use_authtok
#password required     /var/yp

Preserving it allow to use regular passwords for selected users or groups (Group wheel) by additing  pam_require module.  See Wheel Group for details.

You also need to modify pure-ftp.pam as it does not use login. Add "auth required" at the top and comment out "include common-auth"

auth required
auth required item=user sense=deny file=/etc/ftpusers onerr=succeed
#auth include common-auth
auth required
account include common-account
password include common-password

Note: here are RSA recommendations from the installation manual (which is very weak).

SUSE Linux Enterprise Server 9 (SP3) and 10 (64 bit):

1. Change to /etc/pam.d/ and open the login file.

auth required
auth include common-auth
auth required
account include common-account
password include common-password
session include common-session
session required nowtmp
session required
session optional standard
session required # added by orarun
2. Comment out the following 3 lines:
auth required
auth include common-auth
auth required
3. Replace them with the following lines:
auth required
auth required

Top Visited
Past week
Past month


Old News ;-)

Re pam_nologin as account module

On Sun, Jan 20, 2002 at 04:37:19PM -0500, Sam Hartman wrote:

> I've gotten several Debian bug reports that pam_nologin should be an
> account module so it works better with ssh.  The problem is that if
> you have RSA auth or Kerberos auth with ssh, the pam_authenticate call
> is is skipped, so if pam_nologin is in the auth stack, then it will be
> ignored.

> Clearly making pam_nologin be an account module is wrong because doing
> so would cause it to wait until after the password is entered for
> login applications.  What about allowing pam_nologin to be both an
> account and auth module?  Would this be acceptable?

I've commented before that many of the modules that ship as auth-only
would also be very useful as account modules; I never heard any
objections to that idea, it just seemed to be a question of writing the

Steve Langasek
postmodern programmer

question on authentication - null passwds

Hello all,

  I am currently using pam_securid to authenticate users using RSA's securid
keychain fobs. I have a problem: If a user has anything in their password
field in /etc/shadow, the authentication fails. I would like to have
password fields in /etc/shadow with legitimate passwords otherwise I get
unwanted side-effects like users being able to 'su' to any other user with
no password.

Currently, this is my /etc/pam.d/sshd file (ssh is the only way to login to
this machine)

auth       required     /lib/security/
auth       required     /lib/security/
auth       sufficient   /lib/security/ likeauth nullok
auth       required     /lib/security/
auth       required     /lib/security/
account    required     /lib/security/
password   required     /lib/security/ service=system-auth
session    required     /lib/security/ service=system-auth
session    required     /lib/security/
session    optional     /lib/security/

I would like to know what to take out of /etc/pam.d/sshd, system-auth or su
in order for me to authenticate with pam_securid (the only method I want
users to authenticate with), yet still have passwords
in the /etc/shadow file to prevent users from su-ing, etc.

Thanks for your help

Re PAM SecurID

Roger E McClurg wrote:
I'm using the RSA PAM SecurID module (5.0). It authenticates users just fine, but when a token gets into new pin mode or next token mode the user does not get the prompts just a NAK. Does anyone have any experience with this?

My configuration:
radius auth required /usr/lib/security/$ISA/ debug
radius account required /usr/lib/security/$ISA/ debug
radius password required /usr/lib/security/$ISA/

I've never used pam_securid, but should this not point to pam_securid too? It "new pin" or "next token" modes sound like they would map onto pam_chauthtok, which is what this is.

radius session required /usr/lib/security/$ISA/
Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

pam configuration for securID - SUSE Forums

auth required
#auth required # set_secrpc
auth required
auth required
account required
account required
password required
password required use_first_pass use_authtok
session required none # trace or debug
session required
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README.SuSE)
#session optional fake_ttyname

Recommended Links

Google matched content

Softpanorama Recommended

Top articles


Wiki MySecurID-page

RSA Secured Partner Solutions for RSA SecurID

Configuring SecurID Authentication


Installation and Configuration Guide

RSA Authentication Agents for UNIX-Linux - RSA, The Security Division of EMC

The RSA Authentication Agent for UNIX/Linux consists of two solutions:

Authentication Agent 6.0 for PAM

Supported Platforms Platform set I:

Platform set II: Platform set III:

(Other platforms will be released later)

RSA strongly recommends using OpenSSH.
PAM Agent for platform set I was qualified with OpenSSH 4.3p2.
PAM Agents for platform sets II and III were qualified with OpenSSH 4.5p1.

Other Requirements 7 MB free disk space
RSA ACE/Server 5.2, RSA Authentication Manager 6.0, or RSA Authentication Manager 6.1 or later

Pricing and Availability Download this agent for free

RSA Authentication Agent 6.0 for PAM

RSA Authentication Agent 5.3.4 for PAM

Supported Platforms RSA Authentication Agent 5.3.4 for PAM supports only the 32-bit version of the following operating systems:

The PAM Agent supports OpenSSH 4.1p1 for all platforms and OpenSSH 4.3p1 on Red Hat Enterprise Linux AS/ES 4.0. RSA strongly recommends using OpenSSH.

Other Requirements 6 MB free disk space
RSA ACE/Server 5.1 or later, or RSA Authentication Manager 6.0 or later

Pricing and Availability Download this agent for free
RSA Authentication Agent 5.3.4 for PAM


The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2018 by Dr. Nikolai Bezroukov. was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case is down you can use the at


The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019