Linux systems
Support for domain-joined Linux systems
If you have Linux systems joined to the domain with sssd, likewise-open (pbis), or similar, you can enforce 2-factor for AuthLite users when they log on to these systems. They will need a PAM module and some configuration to pass the OTP to AuthLite and then allow the password portion of the logon to work.
Changes needed to SSSD
All of the following items refer to the [domain/...] section in the file /etc/sssd/sssd.conf
Offline caching
Consider setting:
cache_credentials = False
so domain users are prohibited from logging in using cached mode with password-only.
DC Ordering
For 2-factor logons to work correctly, we need the OTP lookup to go to the same DC that gets the Kerberos authentication.
SSSD and the kerberos features of Linux have a somewhat complicated way of picking a DC. Making matters worse, some SSSD builds seem to ignore configuration directives for reasons we don't really understand. Thus, here are two ways of achieving the correct result, in order of preference.
Best way: force SSSD and krb5 to use the same DC.
Add or change the following directives:krb5_use_kdcinfo = True
krb5_kdcinfo_lookahead = 0
Fallback approach: force a strict ordering of which DCs to use.
Use the "ad_server" setting, to specify an exact order for your DCs to be used, followed by _srv_ to revert to the lookup algorithm if your preferred DCs are unavailable:ad_server = the.fqdn.of.server1,fqdn.server2,_srv_
After making changes, restart the sssd service with:
sudo service sssd restart
Prerequisites
We need cmake (version 3), a c++ compiler, and the PAM development library. So depending on your configuration:
Debian-like systems
Install prerequisite packages with command:sudo apt-get install cmake g++ libpam0g-dev
RedHat 7(and later)-like systems
Install prerequisite packages with command:sudo yum install cmake3 make gcc-c++ pam-devel
CentOS 8-like systems
Install prerequisite packages with command:sudo yum install cmake make gcc-c++ pam-devel
SUSE-like systems
Install prerequisite packages with command:sudo zypper install cmake3 make gcc-c++ pam-devel
Build and install pam_authlite module
-
Get the Linux PAM module archive from the Downloads page and expand it with command:
tar -xzf <replace this with the actual pam_authlite.tar.gz file name>
-
Go into the build directory:
cd pam_authlite
-
Create the build system and build the module with either:
cmake3 . ; make
or:cmake . ; make
(depending on whether your version-3 cmake is called "cmake3" or "cmake") - If the module builder can't determine how to adjust your PAM settings, it will print one or more warnings to the console. Please request support if needed.
-
If the build succeeded and produced no errors or warnings, you may now install and activate the module with:
sudo make install
-
If your distribution (e.g. SUSE) cannot modify its own PAM configuration, you have to convert it to a manual PAM configuration and edit the file /etc/pam.d/common-auth to add the line
before the line containing "pam_sss"auth optional pam_authlite.so
Removing the PAM module
-
To revert any changes made by running "make install", run the command:
sudo make uninstall
Configure AuthLite
Add the Linux computer account (or a security group containing the computer account) to the following AuthLite settings:
- Forced 2-Factor Computers (because Linux generally can't see group policy enforcement, and even when it does it does static group lookups so we can't rely on 2F-tagging)
- LDAP Permissions (because Linux does an OTP lookup and then throws it away and sends the authentication request without the OTP)
- Sticky 2-Factor Computers (because SSSD does several authentications in a row without the OTP)
These settings will take 20 minutes to apply (plus time for inter-site replication, if applicable)
Testing 2F Logon
In the build directory, you can run a test program to check whether authentication is working. Below, 'sandbox' is the NETBIOS domain name, and 'duser2' is the username.
./pam_authlite_test login sandbox\\duser2
Start result: 0
Password: (enter the password followed by dash and OTP here)
Auth result: 0
If the Authentication result is zero (0) then the call succeeded. If it is seven (7) then the authentication was rejected by the DC.
Note that this test does not confirm 2FA is being used, it just checks if the authentication was allowed by the DC. You must follow the settings above in section "Configure AuthLite" to enforce 2FA. To prove it's working, attempt to authenticate with an AuthLite User and just their password, omitting the OTP.