SSH Adaptive Two Factor Authentication is provided via Spriv-PAM-MASTER, a Pluggable Authentication Modules (PAM) the PAM is a secure method for protecting Unix and Linux logins
SSH Adaptive Two Factor Authentication Install:
- Sign up for a company account by going to Getting Started.
- Please confirm that the user that you will be using for logon to the SSH server is created in Spriv’s end user list and that the user is successfully paired with a mobile phone. For more details see:
- Download the latest version of SPRIV-PAM-MASTER from github.
- Copy the file to your Linux server. If using Putty you can use the following command:
C:\Users\david>pscp.exe Spriv-PAM-master.zip email@example.com:/home/davidpino/Spriv-Pam-master.zip
- Unzip the build with the owner privilege (root or non root) user credential. DO NOT USE sudo!
- Add execute permission to build_system.sh and configure
chmod +x build_system.sh
- Execute build_system.sh
- Execute configure
- Start compiling
sudo make install
- For your information: you can check the install log
sudo cat config.log
- Edit pam.conf and add your company Key and secret. You can copy your Secret and Key from https://app.spriv.com by navigating to “Service Account”
sudo vi /etc/spriv/pam.conf
- Edit sshd_config and make sure that your sshd_config is configured as the file below:
sudo vi /etc/ssh/sshd_config UsePAM yes ChallengeResponseAuthentication yes UseDNS no PubkeyAuthentication yes PasswordAuthentication no
- For Fedora23, CentOS7 and CentOS6 (Scroll down for Ubuntu15): Please edit sshd and make sure that your sshd file is configured as the file below
sudo vi /etc/pam.d/sshd auth required pam_sepermit.so auth substack password-auth auth required pam_env.so auth sufficient pam_spriv.so auth required pam_deny.so auth include postlogin
Ubuntu15: sudo vi /etc/pam.d/sshd #@include common-auth auth requisite pam_unix.so nullok_secure auth [success=1 default=ignore] /lib64/security/pam_spriv.so auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so
- Execute as root: setsebool -P authlogin_yubikey 1
- Important!!! In order to avoid a scenario where you lock yourself out, leave a session open and test access to the server from another session.
- Restart SSHD service:
Fedora23 + CentOS7: sudo systemctl restart sshd.service CentOS6: sudo service sshd restart Ubuntu15: sudo service ssh restart sudo service sshd restart