While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server.


Limitation of ForceCommand:

When PingID MFA is configured via ForceCommand, SSH commands that don't support interactive sessions (for example, scp and sftp) do not allow authentication with a One Time Passcode (OTP).

The above limitation does not apply when authenticating using a mobile device (push).

This procedure assumes that PingID was installed with --prefix=/usr:

  1. Add the following lines at the end of the SSH configuration file (for example, /etc/ssh/sshd_config).
    Enable single user
    # enable pingid for testuser
    Match User testuser
    ForceCommand /usr/sbin/pingid_fc
    Disable single user
    # disable pingid for testuser
    Match User !testuser
    ForceCommand /usr/sbin/pingid_fc
    Enable group
    # enable pingid for all users in testgroup
    Match Group testgroup
    ForceCommand /usr/sbin/pingid_fc
    Disable group
    # disable pingid for all users in testgroup
    Match User * Group !testgroup
    ForceCommand /usr/sbin/pingid_fc
    Enable all users
    # enable pingid for all users
    ForceCommand /usr/sbin/pingid_fc

    Disable PermitTunnel and AllowTcpForwarding in the sshd_config file because tunneling and port forwarding are performed before PingID authentication is triggered.

  2. Restart the sshd service:

    sudo service sshd restart