PingID Administration Guide

Integrate PingID with SSH

PingID provides SSH authentication services to protect local and remote sign on to Linux and Unix systems, including configuration options for Pluggable Authentication Module (PAM) and ForceCommand.

For more information about required web access, see PingID required domains, URLs, and ports.

Before attempting to configure this integration, ensure that you have sufficient expertise in your Linux distro and experience troubleshooting PAM and ForceCommand configurations.

The PingID module simply does MFA when told by the ForceCommand or PAM configuration. If PingID is not being invoked as expected, you most likely have a misconfiguration in your Linux configuration files. Ping Identity Support’s ability to assist with questions related to Linux configuration is limited, and you should be prepared to consult Linux forums or other Linux experts for assistance.
Secure Shell (SSH)

SSH is an encrypted network protocol, which provides a remote or local secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server.

Pluggable authentication module (PAM)

PAM is a mechanism to integrate low-level authentication schemes into a high-level API. Applications that rely on authentication can be developed independently of the underlying authentication scheme.

ForceCommand

ForceCommand safely executes remote commands through SSH. ForceCommand can be associated with the SSH configuration of authorized keys.

Limitation of ForceCommand

When PingID MFA is configured through ForceCommand, SSH commands that do not support interactive sessions, such as scp and sftp, do not allow authentication with a one-time Passcode (OTP).

This limitation does not apply when:

  • Authenticating using a mobile device (push).

  • PingID MFA is configured though the PAM module.

Adding multi-factor authentication (MFA) to a Unix or Linux system might result in locking you out of the system. To minimize this risk, back up your system before beginning an installation, and during an installation, keep a separate open session with root permissions.

Obtaining the PingID properties file for SSH

A PingID properties file is required during the installation of the PingID SSH agent.

Properties files may have full or restricted permissions. Full permissions should be used with care: They enable on-the-fly enrollment, device management and authentication which may not be desirable. For information on downloading the PingID properties file, see Managing the PingID properties file.