PingID provides SSH authentication services to protect local and remote sign on to Linux and Unix systems, including configuration options for Pluggable Authentication Module (PAM) and ForceCommand.
- Secure Shell (SSH)
- SSH is an encrypted network protocol, which provides a remote or local secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server.
- Pluggable authentication module (PAM)
- PAM is a mechanism to integrate low-level authentication schemes into a high-level API. Applications that rely on authentication can be developed independently of the underlying authentication scheme.
- ForceCommand
- ForceCommand safely executes remote commands through SSH. ForceCommand can be associated with the SSH configuration of authorized keys.
- Limitation of ForceCommand
- When PingID MFA is configured through ForceCommand, SSH commands that do not
support interactive sessions, such as scp and
sftp, do not allow authentication with a one-time
Passcode (OTP).
This limitation does not apply when:
- Authenticating using a mobile device (push).
- PingID MFA is configured though the PAM module.
Adding multi-factor authentication (MFA) to a Unix or Linux system might result in locking you out of the system. To minimize this risk, back up your system before beginning an installation, and during an installation, keep a separate open session with root permissions.
Obtaining the PingID properties file for SSH
A PingID properties file is required during the installation of the PingID SSH agent.
Properties files may have full or restricted permissions. Full permissions should be used with care: They enable on-the-fly enrollment, device management and authentication which may not be desirable. For information on downloading the PingID properties file, see Managing the PingID properties file.