--- title: Configuring ForceCommand description: Configure the PingID SSH installation to enable it to work with ForceCommand. component: pingid page_id: pingid:pingid_integrations:pid_configuring_forcecommand canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_forcecommand.html revdate: January 28, 2024 section_ids: about-this-task: About this task steps: Steps mapping-usernames-with-forcecommand: Mapping usernames with ForceCommand steps-2: Steps example: Example: --- # Configuring ForceCommand Configure the PingID SSH installation to enable it to work with ForceCommand. ## About this task | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server. | | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | **Limitation of ForceCommand:**When PingID MFA is configured via ForceCommand, SSH commands that don't support interactive sessions (for example, scp and sftp) do not allow authentication with a One Time Passcode (OTP).The above limitation does not apply when authenticating using a mobile device (push). | This procedure assumes that PingID was installed with `--prefix=/usr`: ## Steps 1. Add the following lines at the end of the SSH configuration file (for example, `/etc/ssh/sshd_config`). | Option | Description | | ------------------- | ------------------------------------------------------------------------------------------------------------------ | | Enable single user | ``` # enable pingid for testuser Match User testuser ForceCommand /usr/sbin/pingid_fc ``` | | Disable single user | ``` # disable pingid for testuser Match User !testuser ForceCommand /usr/sbin/pingid_fc ``` | | Enable group | ``` # enable pingid for all users in testgroup Match Group testgroup ForceCommand /usr/sbin/pingid_fc ``` | | Disable group | ``` # disable pingid for all users in testgroup Match User * Group !testgroup ForceCommand /usr/sbin/pingid_fc ``` | | Enable all users | ``` # enable pingid for all users ForceCommand /usr/sbin/pingid_fc ``` | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Disable `PermitTunnel` and `AllowTcpForwarding` in the `sshd_config` file because tunneling and port forwarding are performed before PingID authentication is triggered. | 2. Restart the sshd service: `sudo service sshd restart` ## Mapping usernames with ForceCommand Mapping usernames enables PingID SSH for users with specific public keys. ### Steps * Use the command option in the `~/.ssh/authorized_keys` file. #### Example: ``` command="/usr/sbin/pingid_fc -u john" ssh-rsa AAA..../KO== john@luni.com command="/usr/sbin/pingid_fc -u david" ssh-rsa BAB...JIL== david@luni.com ``` | | | | - | ---------------------------------------------------------------------- | | | This procedure assumes that PingID was installed with `--prefix=/usr`. |