How enable RSA SecurID authentication with TigerVNC

[senm...@gmail.com]

Hi,

In our company we have a requirement that individual users must login using the RSA SecurID authentication. We are trying to use TigerVNC and would like to some help with respect to the authentication configuration.

Thanks
Sen

[Peter Astrand]

It all depends on the details... Which platform of server and client? Do
you want to login using only the SecurID OTP, or do you want to
require a normal password before or after the SecurID OTP?

(Our ThinLinc product, which uses TigerVNC, works with RSA SecurID, see
https://www.cendio.com/resources/docs/tag/otp_authentication.html)


Br,
---
Peter Astrand ThinLinc Chief Developer
Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc
583 30 Linkoping https://facebook.com/ThinLinc
Phone: +46-13-214600 https://google.com/+CendioThinLinc

[Sen]

Thanks for the response. VNC Server will be running on RHEL and clients will be running on Windows 7. Our individual IDs have been already configured by our InfoSec team to use RSA login. All we are trying to do is eliminate the VNC authentication and use the OS authentication instead. Also we were looking for a workaround/solution within TigerVNC itself not adding any third party product. Please let me know.

[Pierre Ossman]

Probably not. TigerVNC supports PAM authentication, but only using a
single username/password pair. It will not work if you need multiple
prompts, e.g. first a password and then the SecurID OTP.

If it is just a single prompt then enable "Plain" authentication in
TigerVNC. It's enabled by default on the client, but the server
generally needs these arguments:

-SecurityTypes=TLSPlain -PlainUsers=* -PAMService=login

"login" should be the PAM service you have configured for this purpose.


If you need multiple prompts then I'm afraid you need something else
handling the authentication. Like our ThinLinc that Peter mentioned, or
some other tunneling (e.g. SSH).

Rgds
--
Pierre Ossman Software Development

Cendio AB https://cendio.com
Teknikringen 8 https://twitter.com/ThinLinc

583 30 Linköping https://facebook.com/ThinLinc
Phone: +46-13-214600 https://plus.google.com/+CendioThinLinc

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[senm...@gmail.com]

On Friday, September 4, 2015 at 8:15:07 AM UTC-5, Pierre Ossman wrote:
> On Wed, 2 Sep 2015 13:37:46 -0700 (PDT)
>

Thanks much. We only need only SecurID authentication, we will try your suggestion. Thanks again for your help.

[senm...@gmail.com]

We did try the suggestion and got the following error

"Fatal server error:
(EE) Unrecognized option: -PAMService"

The version we are using is "Xvnc TigerVNC 1.1.0", perhaps PAMService is a new feature in a later release?

Please let us know. Thanks again for your help.

[Pierre Ossman]

On Wed, 9 Sep 2015 11:45:34 -0700 (PDT)
senm...@gmail.com wrote:

>
> We did try the suggestion and got the following error
>
> "Fatal server error:
> (EE) Unrecognized option: -PAMService"
>
> The version we are using is "Xvnc TigerVNC 1.1.0", perhaps PAMService
> is a new feature in a later release?
>
> Please let us know. Thanks again for your help.
>

Ah, right. The parameter was called "pam_service" in those older
versions.

[senm...@gmail.com]

On Thursday, September 10, 2015 at 2:14:12 AM UTC-5, Pierre Ossman wrote:
> On Wed, 9 Sep 2015 11:45:34 -0700 (PDT)
>
> >

Thanks again Pierre for your suggestion. Same error message, in fact I searched through all the parameter names and nothing has PAM keyword in it.

Unrecognized option: -pam_service
(EE) Unrecognized option: -pam_service

[Pierre Ossman]

On Thu, 10 Sep 2015 07:07:55 -0700 (PDT)
senm...@gmail.com wrote:

>
> Thanks again Pierre for your suggestion. Same error message, in fact
> I searched through all the parameter names and nothing has PAM
> keyword in it.
>

Strange. It was one of the new features in 1.1.0. It may be that your
particular build was built without PAM support.

In that case you'll have to use something newer. Try the latest release
from our web page.

[senm...@gmail.com]

On Friday, September 11, 2015 at 8:58:41 AM UTC-5, Pierre Ossman wrote:
> On Thu, 10 Sep 2015 07:07:55 -0700 (PDT)
>
> >

Thanks much, it works with the latest version 1.5.

[senm...@gmail.com]

Even though we were able to start the server using the pam service (sshd in our case with securid enabled), the client connections are failing with invalid username/password.

Thu Sep 17 13:27:26 2015
Connections: accepted: 170.137.77.107::63915
SConnection: Client needs protocol version 3.8
SConnection: Client requests security type VeNCrypt(19)
SVeNCrypt: Client requests security type TLSPlain (259)

Thu Sep 17 13:28:09 2015
SConnection: AuthFailureException: invalid password or username
Connections: closed: 170.137.77.107::63915 (invalid password or username)
EncodeManager: Framebuffer updates: 0
EncodeManager: Total: 0 rects, 0 pixels
EncodeManager: 0 B (1:-nan ratio)

Any suggestions for troubleshooting this issue further? Appreciate your help.

[Pierre Ossman]

On Thu, 17 Sep 2015 11:31:03 -0700 (PDT)
senm...@gmail.com wrote:

>
> Even though we were able to start the server using the pam service
> (sshd in our case with securid enabled), the client connections are
> failing with invalid username/password.
>

> Any suggestions for troubleshooting this issue further? Appreciate
> your help.
>

I'm afraid there's no more logging to enable in Xvnc. What do the
system logs say? How is PAM configured for Xvnc?

Rgds
--
Pierre Ossman Software Development

Cendio AB http://cendio.com
Teknikringen 8 http://twitter.com/ThinLinc
583 30 Linköping http://facebook.com/ThinLinc
Phone: +46-13-214600 http://plus.google.com/+CendioThinLinc