Configuring ForceCommand
Configure the PingID SSH installation to enable it to work with ForceCommand.
About this task
While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server. |
Limitation of ForceCommand: When PingID MFA is configured via ForceCommand, SSH commands that don’t support interactive sessions (for example, scp and sftp) do not allow authentication with a One Time Passcode (OTP). The above limitation does not apply when authenticating using a mobile device (push). |
This procedure assumes that PingID was installed with --prefix=/usr
:
Steps
-
Add the following lines at the end of the SSH configuration file (for example,
/etc/ssh/sshd_config
).Option Description Enable single user
# enable pingid for testuser Match User testuser ForceCommand /usr/sbin/pingid_fc
Disable single user
# disable pingid for testuser Match User !testuser ForceCommand /usr/sbin/pingid_fc
Enable group
# enable pingid for all users in testgroup Match Group testgroup ForceCommand /usr/sbin/pingid_fc
Disable group
# disable pingid for all users in testgroup Match User * Group !testgroup ForceCommand /usr/sbin/pingid_fc
Enable all users
# enable pingid for all users ForceCommand /usr/sbin/pingid_fc
Disable
PermitTunnel
andAllowTcpForwarding
in thesshd_config
file because tunneling and port forwarding are performed before PingID authentication is triggered. -
Restart the sshd service:
[.codeph]``sudo service sshd restart``
Mapping usernames with ForceCommand
Mapping usernames enables PingID SSH for users with specific public keys.
Steps
-
Use the command option in the
~/.ssh/authorized_keys
file.Example:
command="/usr/sbin/pingid_fc -u john" ssh-rsa AAA..../KO== john@luni.com command="/usr/sbin/pingid_fc -u david" ssh-rsa BAB...JIL== david@luni.com
This procedure assumes that PingID was installed with
--prefix=/usr
.