This is how you can perform authentication using RSA Secure ID authentication in your PHP environment. RSA does not provide a module or agent to directly work with PHP, so in order to make it work we will use a PAM PECL extension. This tutorial assumes you already have a working RSA Manager installation and SecureID tokens, and a running apache/php install.
Step 1:
Install the PAM PECL extension. You can find it at http://pecl.php.net/package/PAM
Follow the instructions to install and enable this extension. This may require some development packages if you’re using the vendor-supplied build of PHP. So for instance, in the case of RHEL6, this will require assignment of the “RHEL Server Optional” channel. You can then install the php-devel package. If using a custom build of PHP, this step should not be necessary.
yum install php-devel
yum install pam-devel
Unzip, and run “phpize” in the directory
Then run “./configure”
Then “make”
Then “make install”
Edit your /etc/php.ini configuration file to include:
[PHP]
extension=pam.so
Step 2:
Install the linux RSA PAM agent following the instructions that are included with that agent. Download from here: http://www.rsa.com/node.aspx?id=2844
Step 3:
Make sure to run acetest that is provided with the RSA pam authentication agent. For 64-bit Red Hat, this utility will typically live in /opt/pam/bin/64bit/acetest . This serves two purposes: it creates files in /var/ace that we will need to change permissions on, and it also verifies that you are communicating with and properly authenticating against the RSA Manager/server. If you are not able to verify with the acetest utility, make sure you have properly added the agent to your RSA Manager.
Step 4:
Change the permissions on files in /var/ace:
Change the group of sdstatus.1 and securid to the web server group (for example, apache)
cd /var/ace
chgrp apache sdstatus.1
chgrp apache securid
chmod 664 sdstatus.1
chmod 440 securid
This is required so that the php process can read the securid file and update sdstatus.1 . Default permissions only allow root to do this.
Step 5:
Create a PAM configuration file. The default pam configuration name is “php” unless a different pam.servicename is specified in the php.ini.
As an example, on RHEL 6, you could create this as /etc/pam.d/php with the following entries:
auth required pam_securid.so debug
account required pam_permit.so
Note: debug is optional, this gives you some potentially useful logging information while you are fine tuning your authentication. Once you have a working config, debug can certainly be removed.
Step 6:
Create an rsa_auth.php test page to verify if your php/pam/RSA configuration is working:
<html>
<head><title>RSA Test Page!</title></head>
<body>
<?php
$message = “”;
$err = “”;
if (isset($_POST[‘username’] ) && isset($_POST[‘passcode’])) {
if (pam_auth($_POST[‘username’], $_POST[‘passcode’], $err, false) === true) {
$message = “Authentication was Successfull”;
}
else {
$message = “Authentication Failed – $err”;
}
}
?>
<font color=”red”><?php echo $message ?></font><br>
<form method=POST action=”<?php echo $_SERVER[‘PHP_SELF’]?>”>
username: <input type=”text” name=”username” /><br>
passcode: <input type=”password” name=”passcode” />
<input type=”submit” />
</form>
</body>
</html>
Step 7:
Restart apache and try it out!
Please remember to integrate your real PHP authentication page with the appropriate input filtering to better secure and sanitze the input to protect against exploits, etc.