Support for domain-joined Linux systems

If you have Linux systems joined to the domain with sssd, likewise-open (pbis), or similar, you can enforce 2-factor for AuthLite users when they log on to these systems. They will need a PAM module and some configuration to pass the OTP to AuthLite and then allow the password portion of the logon to work.

Changes needed to SSSD

All of the following items refer to the [domain/...] section in the file /etc/sssd/sssd.conf

Offline caching

Consider setting:

cache_credentials = False

so domain users are prohibited from logging in using cached mode with password-only.

DC Ordering

For 2-factor logons to work correctly, we need the OTP lookup to go to the same DC that gets the Kerberos authentication.

SSSD and the kerberos features of Linux have a somewhat complicated way of picking a DC. Making matters worse, some SSSD builds seem to ignore configuration directives for reasons we don't really understand. Thus, here are two ways of achieving the correct result, in order of preference.

Best way: force SSSD and krb5 to use the same DC.
Add or change the following directives:
krb5_use_kdcinfo = True
krb5_kdcinfo_lookahead = 0
Fallback approach: force a strict ordering of which DCs to use.
Use the "ad_server" setting, to specify an exact order for your DCs to be used, followed by _srv_ to revert to the lookup algorithm if your preferred DCs are unavailable:
ad_server = the.fqdn.of.server1,fqdn.server2,_srv_

After making changes, restart the sssd service with:

sudo service sssd restart

Prerequisites

We need cmake (version 3), a c++ compiler, and the PAM development library. So depending on your configuration:

Debian-like systems

Install prerequisite packages with command:
sudo apt-get install cmake g++ libpam0g-dev

RedHat 7(and later)-like systems

Install prerequisite packages with command:
sudo yum install cmake3 make gcc-c++ pam-devel

CentOS 8-like systems

Install prerequisite packages with command:
sudo yum install cmake make gcc-c++ pam-devel

SUSE-like systems

Install prerequisite packages with command:
sudo zypper install cmake3 make gcc-c++ pam-devel

Build and install pam_authlite module

Get the Linux PAM module archive from the Downloads page and expand it with command:
tar -xzf <replace this with the actual pam_authlite.tar.gz file name>
Go into the build directory:
cd pam_authlite
Create the build system and build the module with either:
cmake3 . ; make
or:
cmake . ; make
(depending on whether your version-3 cmake is called "cmake3" or "cmake")
If the module builder can't determine how to adjust your PAM settings, it will print one or more warnings to the console. Please request support if needed.
If the build succeeded and produced no errors or warnings, you may now install and activate the module with:
sudo make install
If your distribution (e.g. SUSE) cannot modify its own PAM configuration, you have to convert it to a manual PAM configuration and edit the file /etc/pam.d/common-auth to add the line
auth optional pam_authlite.so
before the line containing "pam_sss"

Removing the PAM module

To revert any changes made by running "make install", run the command:
sudo make uninstall

Configure AuthLite

Add the Linux computer account (or a security group containing the computer account) to the following AuthLite settings:

Forced 2-Factor Computers (because Linux generally can't see group policy enforcement, and even when it does it does static group lookups so we can't rely on 2F-tagging)
LDAP Permissions (because Linux does an OTP lookup and then throws it away and sends the authentication request without the OTP)
Sticky 2-Factor Computers (because SSSD does several authentications in a row without the OTP)

These settings will take 20 minutes to apply (plus time for inter-site replication, if applicable)

Testing 2F Logon

In the build directory, you can run a test program to check whether authentication is working. Below, 'sandbox' is the NETBIOS domain name, and 'duser2' is the username.

./pam_authlite_test login sandbox\\duser2

Start result: 0

Password: (enter the password followed by dash and OTP here)

Auth result: 0

If the Authentication result is zero (0) then the call succeeded. If it is seven (7) then the authentication was rejected by the DC.

Note that this test does not confirm 2FA is being used, it just checks if the authentication was allowed by the DC. You must follow the settings above in section "Configure AuthLite" to enforce 2FA. To prove it's working, attempt to authenticate with an AuthLite User and just their password, omitting the OTP.

Multiple OTP Tokens for the Same User