PingID Administration Guide

Configuring PAM

Configure the PingID SSH installation to enable it to work with PAM.

About this task

There are two main steps you must carry out to configure PAM for PingID:

  • Edit the SSH configuration file sshd_config to set it up to use PAM.

  • Edit the PAM configuration file to instruct PAM to use the PingID PAM module.

Do not enable PAM for SSHD while ForceCommand is being used. This will confuse the SSHD service and may cause authentication issues in SSHD-based utilities (for example, ssh, scp, or sftp).
While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server.

Steps

  1. Open the SSHD configuration file /etc/ssh/sshd_config in a text editor (requires superuser permissions).

  2. Locate the AuthenticationMethods line in the file. Add keyboard-interactive as a method (if it is not already there), as this is required by PingID. This should be in addition to any other methods you have there. For example, if you use key-based authentication for standard SSH authentication, the AuthenticationMethods line should look like this: AuthenticationMethods publickey,keyboard-interactive

  3. Since each authentication method listed must also be enabled explicitly, make sure that the sshd_config file also contains the line KbdInteractiveAuthentication yes.

  4. Set the following parameters in the sshd_config file:

    1. UsePAM yes

    2. ChallengeResponseAuthentication yes

    3. PasswordAuthentication no

  5. Open the PAM configuration file in a text editor (requires superuser permissions). This should be the PAM configuration file for the service that you want to protect with PingID. If you are protecting the ssh service, on most Linux installations the relevant configuration file is /etc/pam.d/sshd.

    Your /etc/pam.d directory may contain specific configuration files that are included in the configuration file for ssh, for example, system-auth, common-auth and password-auth. If you include the PingID PAM module in a top-level configuration file, it will affect all the services that are referenced in that configuration file.

  6. Since the PingID module is added to serve as a second authentication factor, the configuration changes described in this step can differ slightly, depending on the first authentication factor used.

    Choose from:

    • If the first authentication step consists of username/password:

    • Add pam_pingid.soafter pam_unix.so in the configuration file.

    • Set the control options for pam_pingid.so to be the same as those currently set for pam_unix.so.

    • Change the control option for pam_unix.so to requisite, which means that the step must be successful for authentication to continue.

    • If the first authentication step is key-based authentication:

    • Add pam_pingid.soafter pam_unix.so in the configuration file (if pam_unix.so appears there).

    • Set the control options for pam_pingid.so to be the same as those currently set for pam_unix.so.

    • Remove pam_unix.so from the file to prevent the username/password dialog from being displayed.

  7. Restart the sshd service: sudo service sshd restart