AIX Multi-Factor Authentication via RSA SecurID
Multi-factor Authentication (MFA)
Multi-factor authentication (MFA) is a method of access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism. MFA requires two or more authentication factors to make it more difficult for an unauthorized person to access a target system.
There are three categories of authentication factors:
- Something you know, e.g., a password / PIN Code
- Something you have, e.g., ID badge or a cryptographic key
- Something you are, e.g., fingerprint or other biometric data
Single-factor authentication (SFA) is based on only one category. The most common SFA method is a username and password combination, although biometric authentication is becoming more common. MFA mandates users to provide authentication factors from more than one category. Authentication that requires two passwords is not MFA. Authentication that requires pin code and fingerprint is MFA.
Due to the increasing cyber-security threat, more and more computer security standards, such as PCI DSS 3.2 (Payment Card Industry Data Security Standard v3.2) include MFA as part of the security hardening requirements. We anticipate more AIX environments will be required to use MFA for authentication.
RSA SecurID (Secure Token Based MFA solution)
RSA provides two-factor authentication through local access, remote connection, terminal services, etc. The following diagram illustrates the SecurID solution architecture, which consists of an Authentication Manager server, an Authentication Agent running on the system the user attempts to authenticate before access, and hardware or software components that generate the token codes.
RSA PAM Agent (Authentication Agent) for AIX
This section describes the workflow of the RSA PAM agent for AIX:
- A user attempts to access an AIX machine protected by the RSA SecurID, either locally or remotely:
1.1. If accessed locally, local logon tools such as login are supported
1.2. If accessed remotely, remote logon tools such as rlogin, telnet, ssh, and ftp are supported.
- Using the PAM configuration files, the RSA PAM agent can intercept logon requests:
2.1. If the user requesting access is not to be challenged by RSA, the RSA PAM module allows the request to proceed.
2.2. If the user requesting access is to be challenged by RSA SecurID, the agent continues the authentication process.
- The agent prompts the user for the user name.
- The agent requests the required factors to complete the authentication
- The agent sends the user name and factors to the RSA Authentication Manager in a secure manner:
5.1. If RSA Authentication Manager approves the request, the agent grants access to the user.
5.2. If RSA Authentication Manager does not approve the request, the agent denies access and takes appropriate action.
RSA PAM Agent Certifications for AIX and VIOS
IBM is a certified RSA Ready Technology Partner, which means, for the listed AIX versions and system hardware, IBM has verified that AIX and VIOS are ready to use with the RSA PAM Agent if you simply follow their setup instructions. Customers can view the published certification documents from RSA:
https://community.rsa.com/docs/DOC-24996 (for AIX6.1, 7.1, and 7.2 on Power7 and Power8)
https://community.rsa.com/docs/DOC-58816 (for Virtual IO Server on Power7 and Power8)
As stated in the certification, the following AIX clients have been verified:
- login (console)
How to get RSA PAM Agent for AIX?
For more information and setup for the RSA Authentication Agent 7.1 for PAM, please view this RSA provided documentation here:
- RSA Authentication Agent for PAM with AIX:
- RSA Authentication Agent for PAM Community:
- All RSA products and support can be obtained through the RSA website: