---
title: Configuring PAM
description: Configure the PingID SSH installation to enable it to work with PAM.
component: pingid
page_id: pingid:pingid_integrations:pid_configuring_pam
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_pam.html
revdate: September 2, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
  choose-from: Choose from:
---

# Configuring PAM

Configure the PingID SSH installation to enable it to work with PAM.

## About this task

There are two main steps you must carry out to configure PAM for PingID:

* Edit the SSH configuration file `sshd_config` to set it up to use PAM.

* Edit the PAM configuration file to instruct PAM to use the PingID PAM module.

|   |                                                                                                                                                                                               |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Do not enable PAM for SSHD while ForceCommand is being used. This will confuse the SSHD service and may cause authentication issues in SSHD-based utilities (for example, ssh, scp, or sftp). |

|   |                                                                                                                                                                           |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server. |

## Steps

1. Open the SSHD configuration file `/etc/ssh/sshd_config` in a text editor (requires superuser permissions).

2. Locate the `AuthenticationMethods` line in the file. Add `keyboard-interactive` as a method (if it is not already there), as this is required by PingID. This should be in addition to any other methods you have there. For example, if you use key-based authentication for standard SSH authentication, the `AuthenticationMethods` line should look like this: `AuthenticationMethods publickey,keyboard-interactive`

3. Since each authentication method listed must also be enabled explicitly, make sure that the `sshd_config` file also contains the line `KbdInteractiveAuthentication yes`.

4. Set the following parameters in the `sshd_config` file:

   1. `UsePAM yes`

   2. `ChallengeResponseAuthentication yes`

   3. `PasswordAuthentication no`

5. Open the PAM configuration file in a text editor (requires superuser permissions). This should be the PAM configuration file for the service that you want to protect with PingID. If you are protecting the ssh service, on most Linux installations the relevant configuration file is `/etc/pam.d/sshd`.

   |   |                                                                                                                                                                                                                                                                                                                                                  |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | Your `/etc/pam.d` directory may contain specific configuration files that are included in the configuration file for ssh, for example, `system-auth`, `common-auth` and `password-auth`. If you include the PingID PAM module in a top-level configuration file, it will affect all the services that are referenced in that configuration file. |

6. Since the PingID module is added to serve as a second authentication factor, the configuration changes described in this step can differ slightly, depending on the first authentication factor used.

   ### Choose from:

   * If the first authentication step consists of username/password:

   * Add `pam_pingid.so`after `pam_unix.so` in the configuration file.

   * Set the control options for `pam_pingid.so` to be the same as those currently set for `pam_unix.so`.

   * Change the control option for `pam_unix.so` to `requisite`, which means that the step must be successful for authentication to continue.

   * If the first authentication step is key-based authentication:

   * Add `pam_pingid.so`after `pam_unix.so` in the configuration file (if `pam_unix.so` appears there).

   * Set the control options for `pam_pingid.so` to be the same as those currently set for `pam_unix.so`.

   * Remove `pam_unix.so` from the file to prevent the username/password dialog from being displayed.

7. Restart the sshd service: `sudo service sshd restart`