Configuring ForceCommand
Configure the PingID SSH installation to enable it to work with ForceCommand.
About this task
|
While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server. |
|
Limitation of ForceCommand: When PingID MFA is configured via ForceCommand, SSH commands that don’t support interactive sessions (for example, scp and sftp) do not allow authentication with a One Time Passcode (OTP). The above limitation does not apply when authenticating using a mobile device (push). |
This procedure assumes that PingID was installed with --prefix=/usr:
Steps
-
Add the following lines at the end of the SSH configuration file (for example,
/etc/ssh/sshd_config).Option Description Enable single user
# enable pingid for testuser Match User testuser ForceCommand /usr/sbin/pingid_fc
Disable single user
# disable pingid for testuser Match User !testuser ForceCommand /usr/sbin/pingid_fc
Enable group
# enable pingid for all users in testgroup Match Group testgroup ForceCommand /usr/sbin/pingid_fc
Disable group
# disable pingid for all users in testgroup Match User * Group !testgroup ForceCommand /usr/sbin/pingid_fc
Enable all users
# enable pingid for all users ForceCommand /usr/sbin/pingid_fc
Disable
PermitTunnelandAllowTcpForwardingin thesshd_configfile because tunneling and port forwarding are performed before PingID authentication is triggered. -
Restart the sshd service:
sudo service sshd restart
Mapping usernames with ForceCommand
Mapping usernames enables PingID SSH for users with specific public keys.
Steps
-
Use the command option in the
~/.ssh/authorized_keysfile.Example:
command="/usr/sbin/pingid_fc -u john" ssh-rsa AAA..../KO== john@luni.com command="/usr/sbin/pingid_fc -u david" ssh-rsa BAB...JIL== david@luni.com
This procedure assumes that PingID was installed with
--prefix=/usr.