Unix/Linux PAM Adaptive Two Factor Authentication

Overview

Spriv is the only company to successfully build Unix/Linux PAM Adaptive Two Factor Authentication. Spriv’s Pluggable Authentication Modules (PAM) allows automated Continuous Two Factor Authentication in Linux and without requesting repeated user interaction with his mobile phone.

The two min video below, demonstrate the user’s experience while authenticating via Spriv’s two factor authentication to SSH, SU, SUDO, SU. As you can see, A Linux protected by Spriv’s PAM requires only one interaction with the mobile phone, while the following transactions are authenticated automatically in the background via strong and fast Two Factor Authentication and without user’s interaction.

PAM Adaptive Two Factor Authentication Install:

    1. Sign up for a company account by going to Getting Started.
    2. Please confirm that the user that you will be using for logon to the SSH server is created in Spriv’s end user list and that the user is successfully paired with a mobile phone. For more details see:
    3. Request “Linux Adaptive PAM/SSH zip” file via Spriv’s Contact us page.
    4. Copy the file to your Linux server. If using Putty you can use the following command:
      C:\Users\david>pscp.exe Spriv-PAM-master.zip
      davidpino@192.169.137.155:/home/davidpino/Spriv-Pam-master.zip
    5. Unzip the build with the owner privilege (root or non root) user credential. DO NOT USE sudo!
      unzip Spriv-Pam-master.zip
    6. Add execute permission to build_system.sh and configure
      chmod +x build_system.sh
    7. Execute build_system.sh
      ./build_system.sh
    8. Execute configure
      ./configure
    9. Start compiling
      make
    10. Install
      sudo make install
    11. For your information: you can check the install log
      sudo cat config.log
    12. Edit pam.conf and add your company Key and secret. You can copy your Secret and Key from https://app.spriv.com by navigating to “Service Account”
      sudo vi /etc/spriv/pam.conf
    13. Edit sshd_config and make sure that your sshd_config is configured as the file below:
      sudo vi /etc/ssh/sshd_config
      		UsePAM yes
      		ChallengeResponseAuthentication yes
      		UseDNS no
      		PubkeyAuthentication yes
      		PasswordAuthentication no
    14. For Fedora23, CentOS7 and CentOS6 (Scroll down for Ubuntu15): Please edit sshd and make sure that your sshd file is configured as the file below
      sudo vi /etc/pam.d/sshd
      				auth    required     pam_sepermit.so
      				auth    substack     password-auth
      				auth    required     pam_env.so
      				auth    sufficient    pam_spriv.so
      				auth    required     pam_deny.so
      				auth    include        postlogin
      
      Ubuntu15:			
      sudo vi /etc/pam.d/sshd
      				#@include common-auth
      				auth  requisite pam_unix.so nullok_secure
      				auth  [success=1 default=ignore] /lib64/security/pam_spriv.so
      				auth  requisite pam_deny.so
      				auth  required pam_permit.so
      				auth  optional pam_cap.so
      
    15. Execute as root: setsebool -P authlogin_yubikey 1
    16. Important!!! In order to avoid a scenario where you lock yourself out, leave a session open and test access to the server from another session.
    17. Restart SSHD service:
Fedora23 + CentOS7:    sudo systemctl restart sshd.service
CentOS6:                          sudo service sshd restart
Ubuntu15:                       sudo service ssh restart 
		                           sudo service sshd restart
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *