Unix Pam Adaptive Two Factor Authentication


SSH Adaptive Two Factor Authentication is provided via Spriv-PAM-MASTER, a Pluggable Authentication Modules (PAM) the PAM is a secure method for protecting Unix and Linux logins

SSH Adaptive Two Factor Authentication Install:

  1. Sign up for a company account by going to Getting Started.
  2. Please confirm that the user that you will be using for logon to the SSH server is created in Spriv’s end user list and that the user is successfully paired with a mobile phone. For more details see:
  3. Download the latest version of SPRIV-PAM-MASTER from github.
  4. Copy the file to your Linux server. If using Putty you can use the following command:
    C:\Users\david>pscp.exe Spriv-PAM-master.zip
  5. Unzip the build with the owner privilege (root or non root) user credential. DO NOT USE sudo!
    unzip Spriv-Pam-master.zip
  6. Add execute permission to build_system.sh and configure
    chmod +x build_system.sh
    chmod +x configure
  7. Execute build_system.sh
  8. Execute configure
  9. Start compiling
  10. Install
    sudo make install
  11. For your information: you can check the install log
    sudo cat config.log
  12. Edit pam.conf and add your company Key and secret. You can copy your Secret and Key from m.spriv.com by navigating to “Support”>”Codes”
    sudo vi /etc/spriv/pam.conf
  13. Edit sshd_config and make sure that your sshd_config is configured as the file below:
    sudo vi /etc/ssh/sshd_config
    		UsePAM yes
    		ChallengeResponseAuthentication yes
    		UseDNS no
    		PubkeyAuthentication yes
    		PasswordAuthentication no
  14. For Fedora23, CentOS7 and CentOS6 (Scroll down for Ubuntu15): Please edit sshd and make sure that your sshd file is configured as the file below
    sudo vi /etc/pam.d/sshd
    				auth    required     pam_sepermit.so
    				auth    substack     password-auth
    				auth    required     pam_env.so
    				auth    sufficient    pam_spriv.so
    				auth    required     pam_deny.so
    				auth    include        postlogin


    sudo vi /etc/pam.d/sshd
    				#@include common-auth
    				auth  requisite pam_unix.so nullok_secure
    				auth  [success=1 default=ignore] /lib64/security/pam_spriv.so
    				auth  requisite pam_deny.so
    				auth  required pam_permit.so
    				auth  optional pam_cap.so
  15. Restart SSHD service:
    Fedora23 + CentOS7:    sudo systemctl restart sshd.service
    CentOS6:                          sudo service sshd restart
    Ubuntu15:                       sudo service ssh restart 
    		                           sudo service sshd restart
  16. Important!!! In order to avoid a scenario where you lock yourself out, leave a session open and test access to the server from another session.
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.