Installing, Upgrading, and Uninstalling the Agent
This documentation covers installing, upgrading, and uninstalling the SafeNet Agent for Pluggable Authentication Module (PAM).
Installing the Agent
Perform the following steps to install the agent:
- 
Perform the following steps for different versions of RHEL: RHEL 8.10 (or earlier) As a prerequisite, you must install OpenSSL 3.2.2. For the following options available in the sshd_config file (at /etc/ssh), perform the following actions:- 
Ensure that the PasswordAuthentication option is enabled. PasswordAuthentication yes
- 
Enter the following to enable the ChallengeResponseAuthentication option: ChallengeResponseAuthentication yes
- 
Enter the following to enable the KbdInteractiveAuthentication option: KbdInteractiveAuthentication yes
 This setting is only applicable for Ubuntu 22.04.  RHEL 9.4 Perform the following steps: a. Modify SSH Configuration: 
 Comment out the ChallengeResponseAuthentication line in the sshd_config file.
 Location: /etc/ssh/sshd_configb. In the 50-redhat.conf file, set ChallengeResponseAuthentication to yes. 
 Location: /etc/ssh/sshd_config.d/c. Set GSSAPIAuthentication to no.  
- 
- 
Run the following command: - 
RedHat Linux: rpm –i SafeNet_Agent_for_PAM_Linux-[your installation build no].rpmNote The installation package is available at the following location: - RHEL 8.10: \Installer\RHEL 8.10 - RHEL 9.4: \Installer\RHEL 9.4 
- 
Ubuntu: dpkg -i SafeNet_Agent_for_PAM_Linux-[your installation build no]_amd64.debThe installation package for Ubuntu 22.04 – 24.04 is available at: \Installer\Ubuntu 22.04 - 24.04. 
 By default, the installation package is installed at the following location: /usr/local/thales/pam/
- 
- 
Navigate to the installed directory (/usr/local/thales/pam): cd /usr/local/thales/pam/
- 
Copy the SAS_PAMConf.ini file from the Config folder to /usr/local/ using the following command: cp config/SAS_PAMConf.ini /usr/local/
- 
Restart the sshd service using the following command: service sshd restart
- 
SSH is denied by default because of selinux: By default, selinux is not available for Ubuntu, so the following edit is not required. - 
To enable the SSH, use the following commands: sudo audit2allow -asudo setsebool nis_enabled=1
- 
To make the setting persist after reboot, use the following command: sudo semanage boolean -m --on nis_enabled
 
- 
Upgrading the Agent
The upgrade from any earlier version is not supported in this release. To use the latest version, uninstall the old agent and install the new version of the agent.
Uninstalling the Agent
Perform the following steps to uninstall the old agent and install the latest version of the agent:
- 
Disable the agent as described in Applying Multi-Factor Authentication. 
- 
Create a backup of the SAS_PAMConf.inifile andAgent.bsidkeyfiles, to be used for configuring the new agent.
- 
To uninstall the agent, run the following command: RedHat Linux: sudo rpm -e SafeNet_Agent_for_PAM_LinuxUbuntu: sudo apt-get remove safenet-agent-for-pam-linux
- 
Install the latest version of the agent as described in Installing the Agent. 
- 
Configure the new agent with backup files SAS_PAMConf.inifile andAgent.bsidkey.
- 
Apply Multi-Factor Authentication (MFA) as described in Applying Multi-Factor Authentication on the new agent.