Getting RSA Authentication Manager 6.1 working on Debian/Ubuntu

Author: Jon Bright, jon@siliconcircus.com

Authentication Manager only supports SuSe 9.2 and Red Hat Enterprise/Advanced Server (as far as Linux goes).  
Both of these are now well out-of-date and no longer supported.  I wanted to get a 2-user trial pack up and running
for development of a PHP-based web app which will use SecurID tokens.  The best way to talk to Authentication
Manager with PHP seems to be via the RADIUS server, so I installed that too.

Only etch has the versions of the C/C++ libraries that Auth Manager needs, so inside some more up-to-date Debian/Ubuntu 
distro, we'll install an etch chroot for RSA Authentication Manager.

The guide assumes you have all of the CDs for a 2 user trial pack as well as at least one unexpired token together with
its seed.  Your friendly RSA representative will normally send you this stuff free of charge if you ask.

1. apt-get install fakeroot cdebootstrap
2. su - someuser
3. fakeroot cdebootstrap etch etch_bootstrap
4. Return to being root
5. chroot /home/someuser/etch_bootstrap
6. apt-get install rpm.  If it's a 64-bit box, also apt-get install ia32-libs
7. Add the following to /etc/services:
----------------------
# Local services
securid 5500/udp
securidprop_00 5505/tcp
securidprop_01 5506/tcp
securidprop_02 5507/tcp
securidprop_03 5508/tcp
securidprop_04 5509/tcp
securidprop_05 5510/tcp
securidprop_06 5511/tcp
securidprop_07 5512/tcp
securidprop_08 5513/tcp
securidprop_09 5514/tcp
securidprop_10 5515/tcp
sdlog 5520/tcp
sdserv 5530/tcp
sdreport 5540/tcp
sdadmind 5550/tcp
sdlockmgr 5560/tcp
sdcommd 5570/tcp
sdoad 5580/tcp
----------------------
8. Ensure that /etc/hosts (inside the chroot!) has a valid entry for the box
9. Copy the files from the aceserv/linux folder on the "RSA Authentication Manager 6.1" CD to somewhere in the chroot
10. Copy the License files (license.rec, sdti.cer, server.cer, server.key) to the root directory of the RSA installation stuff (same directory as copyright.txt, version.txt)
11. Edit 'sdsetup'.  Around line 258, change thus:
-------------
                              '9.2' ) VALID_OS=TRUE;;
                              * ) LINUX_VERS=`cat /etc/debian_version | awk -F / '{print $1}'`
                                  case "$LINUX_VERS" in
                                    'lenny' ) VALID_OS=TRUE;;
                                    'etch'  ) VALID_OS=TRUE;;
                                    '4.0'  ) VALID_OS=TRUE;;
                                  esac;;
-------------

Around line 311, same thing again.
Around line 342, replace
                UNCOMPRESS_EXEC="/usr/bin/uncompress"
with:
-------------
               if [ -x "/bin/uncompress" ]; then
                   UNCOMPRESS_EXEC="/bin/uncompress"
               else
                    UNCOMPRESS_EXEC="/usr/bin/uncompress"
                fi
-------------
12. Run 'sdsetup -primary'.  I answered the questions as follows:
	- No, I'm not in North/South America or China
	- Yes, I am in Europe
	- Yes, I find the license is possibly orgasmic
	- Which Administrator? -> root
	- Yes, really root
	- Installation directory /usr/local/RSAAuthMgr
	- Yes, really
13. cd /usr/local/RSAAuthMgr/ace
14. prog/sdconnect start
15. prog/aceserver start
16. Copy the file from the "SecurID Seeds" CD to /home/someuser/etch_bootstrap/tmp
17. prog/sdadmin
18. 'T', 'I' (for Token, Import)
19. Enter /tmp/tokenfile.xml as the file (in my case /tmp/F109931_94_TOKEN.XML).  "Token Import Completed" should be shown.  Press Enter.
20. 'U', 'E' (for User, Edit).  
	- <tab> to get to the [ ] next to "Default login"
	- <space> to set an X there
	- <tab>, 'root'
	- <tab> until you get to the 'X' next to Last Name
	- <space> to remove that X
	- <tab> until you get to OK
	- <space>
	- The Edit User "Window" should appear with details of root.
21. Tab through to "Assign Token", <space>, enter the Serial Number from the back of the token, <tab> until you get to OK, <space>
22. Back in the Edit User window, <tab> until you get to OK, <space>
23. Back in Select User, <tab> until Cancel, <space>
24. 'F', 'X' (for File, Exit)
25. Copy the licence files to some Windows machine.  You can skip from here to step 35 if you don't want the windows-based admin thing.
26. Copy /home/someuser/etch_bootstrap/usr/local/RSAAuthMgr/ace/sdconf.rec to the same file on the Windows machine as the licence files.
27. Put the "RSA Authentication Manager 6.1" CD in the Windows machine, go to folder aceserv\windows
28. Run setup.exe.  I answered the questions as follows:
	- English (if you're using English Windows, you may not get this question)
	- Europe
	- Licence super
	- Standard install dir
	- Remote Administration Client
	- Directory with licence files and sdconf.rec
	- ...wait...
	- Don't touch SERVICES or System time
29. Start/Program Files/RSA Security/RSA Authentication Manager Remote Mode
30. For me, it found Server Name automatically (I think this comes from sdconf.rec)
31. Login: root, PASSCODE: the 6-digit number from the token
32. "You must select a new PIN.." -> enter 'n' in the text field -> click OK
33. Enter a PIN, click OK.  Enter the PIN again, OK.  Wait for the next number from the token, enter it, click OK.
34. Login: root, PASSCODE: the PIN you just entered, then the 6-digit number from the token.
35. Back to the server.  Stop here if you don't want the RADIUS server.  Copy the RADIUS/linux folder from the "RSA RADIUS Server 6.1" CD (which also has "Quick-Admin") to somewhere in the chroot
36. Edit install_rsa.sh.  Change line 410 to:
	rpm --nodeps -i --prefix $install_prefix_dir $package_file
(otherwise rpm will complain that it's missing all sorts of glibc libs and so on, which are in fact there, but aren't in the RPM DB)
37. The behaviour of chmod changed since the <censored> thing was released.  So:
	- mv /bin/chmod /bin/real_chmod
	- cat >/bin/chmod <<EOF
#!/bin/bash
if [ \$1 == "-w" ]; then
    /bin/real_chmod -- "\$@"
else
    /bin/real_chmod "\$@"
fi
EOF
	- sh /bin/chmod 755 /bin/chmod
	- Now it has its expected chmod-Behaviour (which doesn't warn about its non-portable "chmod -w" call)
38. Red Hat has a chkconfig tool to manage init.d.  Debian doesn't.  So (remembering this is only the chroot we're screwing with):
	- cat >/sbin/chkconfig <<EOF
#!/bin/bash
if [ "\$1" == "--add" ]; then
    cp \$2 /etc/init.d
else
    echo "Wuh?: \$@"
fi
EOF
	- chmod 755 /sbin/chkconfig

39. ./install_rsa.sh.  I answered as follows:
	- /usr/local/RSARADIUS
	- Standard, 1813
	- PRIMARY
	- No to "migration"
	- Entered a secret.  This will be used for communication between this, the main RADIUS server and the backup RADIUS servers.
40. Optional, change chmod back:
	- mv /bin/chmod /bin/rsa_sucks_chmod
	- mv /bin/real_chmod /bin/chmod
41. /etc/init.d/sbrd start
42. Back to Windows, in the Admin-Thing, RADIUS -> Manage RADIUS Server
43. Select RADIUS Clients, click Add
44. Name, WHATEVER, Description www-Server, IP <IP, where the RADIUS connections will come from>, Shared secret -> some secret (different to before, will be used for comms between the www server and the RADIUS server), Make/model Standard radius
45. For the PHP side of things, the PHP Radius class at http://developer.sysco.ch/php/ seems to work fine for plain authentication.  For users whose tokens are in new-PIN mode, it doesn't yet work (I'll be looking at this and contributing back to the original author, so this may well have changed by the time you read this).