Unix/Linux PAM Adaptive Two Factor Authentication

Overview

Spriv is the only company to successfully build Unix/Linux PAM Adaptive Two Factor Authentication. Spriv’s Pluggable Authentication Modules (PAM) allows automated Continuous Two Factor Authentication in Linux and without requesting repeated user interaction with his mobile phone.

The two min video below, demonstrate the user’s experience while authenticating via Spriv’s two factor authentication to SSH, SU, SUDO, SU. As you can see, A Linux protected by Spriv’s PAM requires only one interaction with the mobile phone, while the following transactions are authenticated automatically in the background via strong and fast Two Factor Authentication and without user’s interaction.

PAM Adaptive Two Factor Authentication Install:

1. 1. Sign up for a company account by going to Getting Started.
   2. Please confirm that the user that you will be using for logon to the SSH server is created in Spriv’s end user list and that the user is successfully paired with a mobile phone. For more details see:
      • Add a user
      • Pair a user
   3. Request “Linux Adaptive PAM/SSH zip” file via Spriv’s Contact us page.
   4. Copy the file to your Linux server. If using Putty you can use the following command:

      C:\Users\david>pscp.exe Spriv-PAM-master.zip
      davidpino@192.169.137.155:/home/davidpino/Spriv-Pam-master.zip

   5. Unzip the build with the owner privilege (root or non root) user credential. DO NOT USE sudo!

      unzip Spriv-Pam-master.zip

   6. Add execute permission to build_system.sh and configure

      chmod +x build_system.sh

   7. Execute build_system.sh

      ./build_system.sh

   8. Execute configure

      ./configure

   9. Start compiling

      make

   10. Install

       sudo make install

   11. For your information: you can check the install log

       sudo cat config.log

   12. Edit pam.conf and add your company Key and secret. You can copy your Secret and Key from https://app.spriv.com by navigating to “Service Account”

       sudo vi /etc/spriv/pam.conf

   13. Edit sshd_config and make sure that your sshd_config is configured as the file below:

       sudo vi /etc/ssh/sshd_config
       		UsePAM yes
       		ChallengeResponseAuthentication yes
       		UseDNS no
       		PubkeyAuthentication yes
       		PasswordAuthentication no

   14. For Fedora23, CentOS7 and CentOS6 (Scroll down for Ubuntu15): Please edit sshd and make sure that your sshd file is configured as the file below

       sudo vi /etc/pam.d/sshd
       				auth    required     pam_sepermit.so
       				auth    substack     password-auth
       				auth    required     pam_env.so
       				auth    sufficient    pam_spriv.so
       				auth    required     pam_deny.so
       				auth    include        postlogin
       

       Ubuntu15:			
       sudo vi /etc/pam.d/sshd
       				#@include common-auth
       				auth  requisite pam_unix.so nullok_secure
       				auth  [success=1 default=ignore] /lib64/security/pam_spriv.so
       				auth  requisite pam_deny.so
       				auth  required pam_permit.so
       				auth  optional pam_cap.so
       

   15. Execute as root: setsebool -P authlogin_yubikey 1
   16. Important!!! In order to avoid a scenario where you lock yourself out, leave a session open and test access to the server from another session.
   17. Restart SSHD service:

Fedora23 + CentOS7:    sudo systemctl restart sshd.service
CentOS6:                          sudo service sshd restart
Ubuntu15:                       sudo service ssh restart 
		                           sudo service sshd restart