Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Agents

SafeNet Agent for Pluggable Authentication Module

search

Please Note:

printsuggest an edit

SafeNet Agent for Pluggable Authentication Module

Version 1.2.0

Pluggable Authentication Module (PAM) is a program (or a set of programs) that aims to identify a user before granting system access. The PAM provides open-source, customizable libraries that enable:

  • Developers to focus on creating programs, without having to worry about creating authentication schemes. In other words, the PAM renders a common authentication scheme that can be used with several applications.

  • System administrators and developers to exercise better control and flexibility over authentication.

The SafeNet Agent for Pluggable Authentication Module (PAM) is a Two-Factor Authentication (2FA) solution to authenticate Linux users before granting system access. It can be easily configured for any number of Linux systems to provide a secure mechanism for protecting PAM-aware applications like login console or remote (SSH) sessions.

By taking advantage of our industry-leading authentication solution, coupled with the flexibility of PAM, organizations can prevent their Linux systems from unauthorized access. Requiring a second factor of authentication, in addition to a valid username and password, is a critical measure for information security.

copy link to clipboardSolution Flow

The SafeNet Agent for PAM is installed on a Linux machine, and acts as an intermediary between users and the SafeNet server. The following are the steps that will help illustrate the solution flow for the users:

  1. A user attempts to access a Linux machine protected by the agent, either via login console, or remotely with SSH.

  2. After providing valid username and password, the user is prompted to provide SafeNet credentials, which are then sent to the SafeNet server.

  3. The SafeNet server provides the agent with authentication methods configured for the user. The agent prompts the user to authenticate. The user chooses the available authentication method and authenticates.

    • If the SafeNet server approves the request, the information is sent to the PAM, which then denies or grants the system access.

copy link to clipboardPrerequisites

  • The user must already be created and available in the SafeNet server.

  • The user must also exist locally on the machine on which the PAM agent is proposed for installation.

  • Root permissions must be obtained on the machine on which the PAM agent is proposed for installation.

  • SafeNet server should be available and reachable from the Linux machine.

  • Ensure that the agent’s public key, gpg_verfiy.key, is imported, before beginning the installation. To import, execute the following command:

    • RedHat Linux: rpm --import /path/to/gpg_verfiy.key
    • Ubuntu: gpg –-import /path/to/gpg_verfiy.key

  • An Auth Node must be created for the agent to allow authentication requests to the SafeNet server. To define Auth Nodes in the SafeNet server, perform the following steps:

    a. On the Virtual Servers tab, select Comms > Auth Nodes, and click Add.

    b. Complete the following fields, and click Save.

    Field Description
    Agent Description Enter a description for the agent.
    Hostname Enter the hostname of the server.
    Low IP Address In Range Enter the lowest IP address in the range.
    High IP Address In Range Enter the highest IP address in the range.

    Note

    • If you are specifying a single IP address, enter the IP address in the Low IP Address. The High IP Address can be left empty.

    • If more than one IP address is required, expand the Services module and then modify the value in Auth Nodes: Max. Auth Nodes field.

copy link to clipboardException

If AutoLogin feature is enabled on a Linux system for a user, the SafeNet OTP functionality will not be invoked.

copy link to clipboardSystem Requirements

Option Description
Tokens - All tokens supported by the SafeNet server.
SAS Releases - SAS PCE/SPE 3.16 (and above)
- SAS Cloud Edition
Operating Systems - RHEL 8.10 and 9.4
- Ubuntu 22.04
OpenSSL Version - RHEL 8.10/9.4: OpenSSL-3.2.2
- Ubuntu 22.04: OpenSSL-3.0.1

On this page