Configure the PingID SSH installation to enable it to work with ForceCommand.
While changing SSHD or PAM configurations, keep an open session with root permissions. This will allow you to reverse any changes without being locked out of the server.
Limitation of ForceCommand:
When PingID MFA is configured via ForceCommand, SSH commands that don't support interactive sessions (for example, scp and sftp) do not allow authentication with a One Time Passcode (OTP).
The above limitation does not apply when authenticating using a mobile device (push).
This procedure assumes that PingID was installed with
Add the following lines at the end of the SSH configuration file (for example,
Option Description Enable single user
# enable pingid for testuser Match User testuser ForceCommand /usr/sbin/pingid_fc
Disable single user
# disable pingid for testuser Match User !testuser ForceCommand /usr/sbin/pingid_fc
# enable pingid for all users in testgroup Match Group testgroup ForceCommand /usr/sbin/pingid_fc
# disable pingid for all users in testgroup Match User * Group !testgroup ForceCommand /usr/sbin/pingid_fc
Enable all users
# enable pingid for all users ForceCommand /usr/sbin/pingid_fcNote:
Disable PermitTunnel and AllowTcpForwarding in the sshd_config file because tunneling and port forwarding are performed before PingID authentication is triggered.
Restart the sshd service:
sudo service sshd restart
- Proceed to Pairing the end user device