SafeNet Agent for Pluggable Authentication Module

Version 1.2.0

Pluggable Authentication Module (PAM) is a program (or a set of programs) that aims to identify a user before granting system access. The PAM provides open-source, customizable libraries that enable:

• Developers to focus on creating programs, without having to worry about creating authentication schemes. In other words, the PAM renders a common authentication scheme that can be used with several applications.
• System administrators and developers to exercise better control and flexibility over the authentication.

The SafeNet Agent for Pluggable Authentication Module (PAM) is a Two-Factor Authentication (2FA) solution to authenticate Linux users before granting system access. The SafeNet Agent for PAM can be easily configured for any number of Linux systems to provide a secure mechanism for protecting PAM-aware applications like login console or remote (SSH) sessions.

By taking advantage of our industry-leading authentication solution, coupled with the flexibility of PAM, organizations can prevent their Linux systems from unauthorized access. Requiring a second factor of authentication, in addition to a valid username and password, is a critical measure for information security.

Solution Flow

The SafeNet Agent for PAM is installed on a Linux machine, and acts as an intermediary between users and the SafeNet server. The following are the steps that will help illustrate the solution flow for the users:

1. A user attempts to access a Linux machine protected by the SafeNet agent, either via login console, or remotely with SSH.

2. After providing valid username and password, the user is prompted to provide SafeNet credentials, which are then sent to the SafeNet server.

3. The SafeNet server provides the agent with authentication methods configured for the user. The agent prompts the user to authenticate. The user chooses the available authentication method and authenticates.

   If the SafeNet server approves the request, the information is sent to the PAM, which then denies or grants the system access.

Prerequisites

1. The user must already be created and available in the SafeNet server.

2. The user must also exist locally on the machine on which the PAM agent is proposed for installation.

3. Root permissions must be obtained on the machine on which the PAM agent is proposed for installation.

4. SafeNet server should be available and reachable from the Linux machine.

5. Ensure that the agent’s public key, gpg_verfiy.key, is imported, before beginning the installation. To import, execute the following command:

   • RedHat Linux: rpm --import /path/to/gpg_verfiy.key
   • Ubuntu: gpg –-import /path/to/gpg_verfiy.key

6. An Auth Node must be created for the agent to allow authentication requests to the SafeNet server. To define Auth Nodes in the SafeNet server, follow the steps:

   a. On the Virtual Servers tab, select Comms > Auth Nodes, and click Add.

   b. Complete the following fields, and click Save.

   Field	Description
   Agent Description	Enter a description for the agent.
   Hostname	Enter the hostname of the server.
   Low IP Address In Range	Enter the lowest IP address in the range.
   High IP Address In Range	Enter the highest IP address in the range.

   Note

   If you are specifying a single IP address, enter the IP address in the Low IP Address. The High IP Address can be left empty.

   If more than one IP address is required, expand the Services module and then modify the value in Auth Nodes: Max. Auth Nodes field.

Exception

If AutoLogin feature is enabled on a Linux system for a user, the SafeNet OTP functionality will not be invoked.

System Requirements