Configuring PAM - PingID

PingID Administration Guide

bundle
pingid
ft:publication_title
PingID Administration Guide
Product_Version_ce
PingID
category
ContentType
Product
Productdocumentation
pingid
ContentType_ce
Product documentation

Configure the PingID SSH installation to enable it to work with PAM.

CAUTION: Do not enable PAM for SSHD while ForceCommand is being used. This will confuse the SSHD service and may cause authentication issues in SSHD-based utilities (for example, ssh, scp, sftp, and so on).
Important: While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server.

This procedure assumes that PingID was installed with --prefix=/usr:

  1. Edit the relevant PAM conf file.
    Note: The "relevant" configuration file is a configuration file that is used by the service you want to protect with PingID. For example, if you want to protect the ssh service, the relevant configuration file on most Linux platforms is /etc/pam.d/sshd. Note however, that there may often be general configuration files in the/etc/pam.d directory, such as system-auth, common-auth and password-auth, which are included in the ssh configuration file. If you include the PingID PAM module in a general configuration file, it will affect all the services that refer to that configuration file.
  2. As a rule of thumb:
    1. Add pam_pingid.so after pam_unix.so
    2. Set pam_pingid.so control options to be the same as pam_unix.so
  3. Change pam_unix.so control options to requisite
    Note: If pam_pingid.so is installed under /lib64/security (rather than /lib/security), specify /lib64/security/pam_pingid.so in the PAM conf file.
  4. Apply PingID to SSH by editing the sshd_config file:
    1. Run
      sudo vi /etc/ssh/sshd_config
    2. Set the following parameters:
      • UsePAM to yes
      • ChallengeResponseAuthentication to yes
      • PasswordAuthentication to no
  5. Configure PAM for public key authentication by adding the following line to the SSHD configuration file, sshd_config.
    AuthenticationMethods publickey,keyboard-interactive

    Remove pam_unix.so from the PAM configuration for SSHD, to prevent display of a password prompt for the keyboard-interactive authentication method.

    Note:

    PAM authentication is supported for SSHD with public key authentication, only when using OpenSSH 6.2 and later.

    To check the OpenSSH version, run ssh -V.

  6. Restart the sshd service.

    sudo service sshd restart

  7. Configure PAM for public key authentication by adding the following line to the SSHD configuration file sshd_config: AuthenticationMethods publickey,keyboard-interactive
  8. Remove pam_unix.so from the PAM configuration for SSHD, to prevent display of a password prompt for the keyboard-interactive authentication method.
    Note:

    PAM authentication is supported for SSHD with public key authentication, only when using OpenSSH 6.2 and above.

    To check the OpenSSH version:

    ssh -V

  9. Restart the sshd service: sudo service sshd restart
  10. Proceed to Pairing the end user device