2FA using RSA SecureID tokens

msgambati-INL · November 20, 2019, 10:53pm

Hello,

We would like to setup OOD to use 2FA using our RSA Secure ID tokens and we wanted to know what the best approach would be to accomplish this?

Thanks,

Matt

jeff.ohrstrom · November 22, 2019, 9:00pm

Really it comes down to how are you going to configure Apache httpd to do this.

I found these docs which I did not really comprehend, but at a glance there’s some sort of RSA agent running on the same machine that apache can talk to?

https://community.rsa.com/community/products/securid/authentication-agent-web-apache
https://community.rsa.com/docs/DOC-85067

Maybe someone else in the community has done this, I’m not sure. You may also want to reach out to RSA and ask them how to integrate RSA Secure ID and a apache httpd web server.

efranz · November 23, 2019, 2:35am

@msgambati-INL what is the initial authentication mechanism being used by your OnDemand instance? I’m assuming that you want 2FA after an initial password based auth?

msgambati-INL · April 6, 2020, 2:12pm

Hi guys,

Sorry for letting this ticket sit around for so long. We finally had time to get this implemented and the solution was what Jeff offered, plus we implemented RSA for PAM:
https://community.rsa.com/community/products/securid/authentication-agent-pam

Thanks,

Matt

holtgrewe · June 4, 2020, 10:50pm

Did you get PAM to work out of the box with Open OnDemand? We had to install the mod_authnz_pam package on CentOS 7.7.

Then, we had to configure the httpd24 for this (form our Ansible playbooks):

    - name: configure load apache pam module
      copy:
        content: |
          LoadModule authnz_pam_module modules/mod_authnz_pam.so
        dest: /opt/rh/httpd24/root/etc/httpd/conf.modules.d/55-authnz_pam.conf
      notify:
        - restart httpd

    - name: link in apache pam module
      file:
        dest: /opt/rh/httpd24/root/usr/lib64/httpd/modules/mod_authnz_pam.so
        src: /usr/lib64/httpd/modules/mod_authnz_pam.so
        state: link

After which we could configure ood_portal.yml

auth:
  - 'AuthType Basic'
  - 'AuthName "Enter chariteuser_c or mdcuser_m and your usual password to login."'
  - 'AuthBasicProvider PAM'
  - 'AuthPAMService httpd'
  - 'Require valid-user'
  - 'RequestHeader unset Authorization'

I hope this is (complete and) of help to anyone.

msgambati-INL · June 9, 2020, 4:00pm

HI Manuel (@holtgrewe),

We do not use PAM for our authentication, we use LDAP. This is great information for those who happen to use PAM though. I appreciate the information.

Thanks,

Matt

Topic		Replies	Views
Authentication with PAM or pwauth and Symantec VIP token Get Help	5	807	May 26, 2022
Rocky 8 with PAM authentication Get Help ondemand2	9	656	October 19, 2022
Reinstallation - PAM authentication not working - RHEL 8.5 Get Help question	16	1127	December 6, 2022
Can OOD auth be handled by PAM? Get Help	27	4378	May 26, 2022
Support of Two Factor auth in absence of OIDC Get Help	3	721	May 26, 2022

2FA using RSA SecureID tokens

Related Topics