Configuring PAM
Configure the PingID SSH installation to enable it to work with PAM.
About this task
There are two main steps you must carry out to configure PAM for PingID:
-
Edit the SSH configuration file
sshd_config
to set it up to use PAM. -
Edit the PAM configuration file to instruct PAM to use the PingID PAM module.
Do not enable PAM for SSHD while ForceCommand is being used. This will confuse the SSHD service and may cause authentication issues in SSHD-based utilities (for example, ssh, scp, or sftp). |
While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server. |
Steps
-
Open the SSHD configuration file
/etc/ssh/sshd_config
in a text editor (requires superuser permissions). -
Locate the
AuthenticationMethods
line in the file. Addkeyboard-interactive
as a method (if it is not already there), as this is required by PingID. This should be in addition to any other methods you have there. For example, if you use key-based authentication for standard SSH authentication, theAuthenticationMethods
line should look like this:AuthenticationMethods publickey,keyboard-interactive
-
Since each authentication method listed must also be enabled explicitly, make sure that the
sshd_config
file also contains the lineKbdInteractiveAuthentication yes
. -
Set the following parameters in the
sshd_config
file:-
UsePAM yes
-
ChallengeResponseAuthentication yes
-
PasswordAuthentication no
-
-
Open the PAM configuration file in a text editor (requires superuser permissions). This should be the PAM configuration file for the service that you want to protect with PingID. If you are protecting the ssh service, on most Linux installations the relevant configuration file is
/etc/pam.d/sshd
.Your
/etc/pam.d
directory may contain specific configuration files that are included in the configuration file for ssh, for example,system-auth
,common-auth
andpassword-auth
. If you include the PingID PAM module in a top-level configuration file, it will affect all the services that are referenced in that configuration file. -
Since the PingID module is added to serve as a second authentication factor, the configuration changes described in this step can differ slightly, depending on the first authentication factor used.
Choose from:
-
If the first authentication step consists of username/password:
-
Add
pam_pingid.so
afterpam_unix.so
in the configuration file. -
Set the control options for
pam_pingid.so
to be the same as those currently set forpam_unix.so
. -
Change the control option for
pam_unix.so
torequisite
, which means that the step must be successful for authentication to continue. -
If the first authentication step is key-based authentication:
-
Add
pam_pingid.so
afterpam_unix.so
in the configuration file (ifpam_unix.so
appears there). -
Set the control options for
pam_pingid.so
to be the same as those currently set forpam_unix.so
. -
Remove
pam_unix.so
from the file to prevent the username/password dialog from being displayed.
-
-
Restart the sshd service:
sudo service sshd restart