PingID Administration Guide

Configuring ForceCommand

Configure the PingID SSH installation to enable it to work with ForceCommand.

About this task

While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server.

Limitation of ForceCommand:

When PingID MFA is configured via ForceCommand, SSH commands that don’t support interactive sessions (for example, scp and sftp) do not allow authentication with a One Time Passcode (OTP).

The above limitation does not apply when authenticating using a mobile device (push).

This procedure assumes that PingID was installed with --prefix=/usr:

Steps

  1. Add the following lines at the end of the SSH configuration file (for example, /etc/ssh/sshd_config).

    Option Description

    Enable single user

    # enable pingid for testuser
    Match User testuser
    ForceCommand /usr/sbin/pingid_fc

    Disable single user

    # disable pingid for testuser
    Match User !testuser
    ForceCommand /usr/sbin/pingid_fc

    Enable group

    # enable pingid for all users in testgroup
    Match Group testgroup
    ForceCommand /usr/sbin/pingid_fc

    Disable group

    # disable pingid for all users in testgroup
    Match User * Group !testgroup
    ForceCommand /usr/sbin/pingid_fc

    Enable all users

    # enable pingid for all users
    ForceCommand /usr/sbin/pingid_fc

    Disable PermitTunnel and AllowTcpForwarding in the sshd_config file because tunneling and port forwarding are performed before PingID authentication is triggered.

  2. Restart the sshd service:

    [.codeph]``sudo service sshd restart``

Mapping usernames with ForceCommand

Mapping usernames enables PingID SSH for users with specific public keys.

Steps

  • Use the command option in the ~/.ssh/authorized_keys file.

    Example:

    command="/usr/sbin/pingid_fc -u john" ssh-rsa AAA..../KO== john@luni.com
    command="/usr/sbin/pingid_fc -u david" ssh-rsa BAB...JIL== david@luni.com

    This procedure assumes that PingID was installed with --prefix=/usr.