AuthLite Interactive Documentation
Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens
How AuthLite uses YubiKeys
Installation and Upgrading
What platforms are supported? Prerequisites and Installation Linux systems MacOS machines
Configuration
Licensing AuthLite Set up User Groups
Configuring AuthLite to use your Group Pairs
Setting up the "Group for New Users"
Enforce 2-factor Logons
Use Group Policy to enforce 2-factor on Windows servers/workstations Secure Administrative Accounts with 2-factor Authentication Enforce 2-factor on File Shares using Access Control Lists (ACLs) Permit 1-factor Network Access to a Server Partial enforcement of a server (e.g. Exchange) with "Forced 2-factor Processes" Enforce non-Windows machines with "Forced 2-factor Computers" Enforce 2-factor logon to Office 365 with AuthLite LDAP logon support/enforcement
Windows Workstation (Endpoint) Protection
Cached (Offline) Workstation logon with YubiKeys Cached (Offline) Workstation logon with OATH tokens Zero-client two-factor workstation logons Workstation Safe mode operations
Remote Desktop
2FA over Remote Desktop Protocol 2FA with Remote Desktop Gateway / RemoteApp / RDWeb / RD Web Client
Replay Windows to support RDP and other re-authenticating protocols Replay Behavior setting VPN and RADIUS Configuration
Using IAS/NPS for RADIUS with AuthLite Microsoft VPN Client settings Wireless 802.1x Authentication DirectAccess and NetMotion Mobility XE Configure Watchguard SSL VPN with AuthLite
2FA for File Shares Active Directory Deployment Notes
Token Management
First: Configure Token Settings Provisioning Tokens Administratively
YubiKeys (Soft) OATH Tokens (Hardware) OATH Tokens OnlyKeys
User Self-Service
"Enroll in AuthLite" Windows program SET UP the Self-Service Web Portal USING the Self-Service Web Portal
View/Edit Existing Tokens Delegate Token Management Recovery Tokens Multiple OTP Tokens for the Same User Multiple users with the same OTP Token Password Operations
How to Log In Troubleshooting
CLOSE

Linux systems

Support for domain-joined Linux systems

If you have Linux systems joined to the domain with sssd, likewise-open (pbis), or similar, you can enforce 2-factor for AuthLite users when they log on to these systems. They will need a PAM module and some configuration to pass the OTP to AuthLite and then allow the password portion of the logon to work.

Changes needed to SSSD

All of the following items refer to the [domain/...] section in the file /etc/sssd/sssd.conf

Offline caching

Consider setting:

cache_credentials = False

so domain users are prohibited from logging in using cached mode with password-only.

DC Ordering

For 2-factor logons to work correctly, we need the OTP lookup to go to the same DC that gets the Kerberos authentication. 

SSSD and the kerberos features of Linux have a somewhat complicated way of picking a DC.  Making matters worse, some SSSD builds seem to ignore configuration directives for reasons we don't really understand.  Thus, here are two ways of achieving the correct result, in order of preference.

  • Best way: force SSSD and krb5 to use the same DC.

    Add or change the following directives:
    krb5_use_kdcinfo = True
    krb5_kdcinfo_lookahead  = 0

  • Fallback approach: force a strict ordering of which DCs to use.

    Use the "ad_server" setting, to specify an exact order for your DCs to be used, followed by _srv_ to revert to the lookup algorithm if your preferred DCs are unavailable:
    ad_server = the.fqdn.of.server1,fqdn.server2,_srv_

After making changes, restart the sssd service with:

sudo service sssd restart

Prerequisites

We need cmake (version 3), a c++ compiler, and the PAM development library. So depending on your configuration:

Debian-like systems

sudo apt-get install  cmake g++ libpam0g-dev

RedHat 7(and later)-like systems

sudo yum install  cmake3 make gcc-c++ pam-devel

CentOS 8-like systems

sudo yum install  cmake make gcc-c++ pam-devel

Build and install pam_authlite module

  • Get the Linux PAM module archive from the Downloads page and expand it with command:
    tar -xzf   <replace this with the actual pam_authlite.tar.gz file name>
  • Go into the build directory:
    cd pam_authlite
  • Create the build system and build the module with either:
    cmake3  .  ; make
    or:
    cmake  .  ; make
    (depending on whether your version-3 cmake is called "cmake3" or "cmake")
  • If the module builder can't determine how to adjust your PAM settings, it will print one or more warnings to the console.  Please request support if needed.
  • If the build succeeded and produced no errors or warnings, you may now install and activate the module with:
    sudo make install

Removing the PAM module

  • To revert any changes made by running "make install", run the command:
    sudo make uninstall

Configure AuthLite

Add the Linux computer account (or a security group containing the computer account) to the following AuthLite settings:

  • Forced 2-Factor Computers (because Linux generally can't see group policy enforcement, and even when it does it does static group lookups so we can't rely on 2F-tagging)
  • LDAP Permissions (because Linux does an OTP lookup and then throws it away and sends the authentication request without the OTP)
  • Sticky 2-Factor Computers (because SSSD does several authentications in a row without the OTP)

These settings will take 20 minutes to apply (plus time for inter-site replication, if applicable)

Testing 2F Logon

In the build directory, you can run a test program to check whether authentication is working. Below, 'sandbox' is the NETBIOS domain name, and 'duser2' is the username.

./pam_authlite_test  login  sandbox\\duser2 Start result: 0 Password:  (enter the password followed by dash and OTP here) Auth result: 0

If the Authentication result is zero (0) then the call succeeded.  If it is seven (7) then the authentication was rejected by the DC.

Note that this test does not confirm 2FA is being used, it just checks if the authentication was allowed by the DC.  You must follow the settings above in section "Configure AuthLite" to enforce 2FA.  To prove it's working, attempt to authenticate with an AuthLite User and just their password, omitting the OTP.