Important:

While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server.

Note:

Limitation of ForceCommand:

When PingID MFA is configured via ForceCommand, SSH commands that don't support interactive sessions (for example, scp and sftp) do not allow authentication with a One Time Passcode (OTP).

The above limitation does not apply when authenticating using a mobile device (push).

This procedure assumes that PingID was installed with --prefix=/usr:

  1. Add the following lines at the end of the SSH configuration file (for example, /etc/ssh/sshd_config).
    OptionDescription
    Enable single user 
    # enable pingid for testuser
Match User testuser
ForceCommand /usr/sbin/pingid_fc
    Disable single user 
    # disable pingid for testuser
Match User !testuser
ForceCommand /usr/sbin/pingid_fc
    Enable group 
    # enable pingid for all users in testgroup
Match Group testgroup
ForceCommand /usr/sbin/pingid_fc
    Disable group 
    # disable pingid for all users in testgroup
Match User * Group !testgroup
ForceCommand /usr/sbin/pingid_fc
    Enable all users 
    # enable pingid for all users
ForceCommand /usr/sbin/pingid_fc
    Note:

    Disable PermitTunnel and AllowTcpForwarding in the sshd_config file because tunneling and port forwarding are performed before PingID authentication is triggered.

  2. Restart the sshd service:

    sudo service sshd restart