Unix Pam Adaptive Two Factor Authentication


SSH Adaptive Two Factor Authentication is provided via Spriv-PAM-MASTER, a Pluggable Authentication Modules (PAM) the PAM is a secure method for protecting Unix and Linux logins

SSH Adaptive Two Factor Authentication Install:

    1. Sign up for a company account by going to Getting Started.
    2. Please confirm that the user that you will be using for logon to the SSH server is created in Spriv’s end user list and that the user is successfully paired with a mobile phone. For more details see:
    3. Request “Linux Adaptive PAM/SSH zip” file via Spriv’s Contact us page.
    4. Copy the file to your Linux server. If using Putty you can use the following command:
      C:\Users\david>pscp.exe Spriv-PAM-master.zip
    5. Unzip the build with the owner privilege (root or non root) user credential. DO NOT USE sudo!
      unzip Spriv-Pam-master.zip
    6. Add execute permission to build_system.sh and configure
      chmod +x build_system.sh
    7. Execute build_system.sh
    8. Execute configure
    9. Start compiling
    10. Install
      sudo make install
    11. For your information: you can check the install log
      sudo cat config.log
    12. Edit pam.conf and add your company Key and secret. You can copy your Secret and Key from https://app.spriv.com by navigating to “Service Account”
      sudo vi /etc/spriv/pam.conf
    13. Edit sshd_config and make sure that your sshd_config is configured as the file below:
      sudo vi /etc/ssh/sshd_config
      		UsePAM yes
      		ChallengeResponseAuthentication yes
      		UseDNS no
      		PubkeyAuthentication yes
      		PasswordAuthentication no
    14. For Fedora23, CentOS7 and CentOS6 (Scroll down for Ubuntu15): Please edit sshd and make sure that your sshd file is configured as the file below
      sudo vi /etc/pam.d/sshd
      				auth    required     pam_sepermit.so
      				auth    substack     password-auth
      				auth    required     pam_env.so
      				auth    sufficient    pam_spriv.so
      				auth    required     pam_deny.so
      				auth    include        postlogin


      sudo vi /etc/pam.d/sshd
      				#@include common-auth
      				auth  requisite pam_unix.so nullok_secure
      				auth  [success=1 default=ignore] /lib64/security/pam_spriv.so
      				auth  requisite pam_deny.so
      				auth  required pam_permit.so
      				auth  optional pam_cap.so
    15. Execute as root: setsebool -P authlogin_yubikey 1
    16. Important!!! In order to avoid a scenario where you lock yourself out, leave a session open and test access to the server from another session.
    17. Restart SSHD service:
Fedora23 + CentOS7:    sudo systemctl restart sshd.service
CentOS6:                          sudo service sshd restart
Ubuntu15:                       sudo service ssh restart 
		                           sudo service sshd restart


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.