Installing, Upgrading, and Uninstalling the Agent
This documentation covers installing, upgrading, and uninstalling the SafeNet Agent for Pluggable Authentication Module (PAM).
Installing the Agent
Perform the following steps to install the agent:
-
Perform the following steps for different versions of RHEL:
RHEL 8.10 (or earlier)
As a prerequisite, you must install OpenSSL 3.2.2.
For the following options available in the sshd_config file (at
/etc/ssh
), perform the following actions:-
Ensure that the PasswordAuthentication option is enabled.
PasswordAuthentication yes
-
Enter the following to enable the ChallengeResponseAuthentication option:
ChallengeResponseAuthentication yes
-
Enter the following to enable the KbdInteractiveAuthentication option:
KbdInteractiveAuthentication yes
Note
This setting is only applicable for Ubuntu 22.04.
RHEL 9.4
Perform the following steps:
a. Modify SSH Configuration:
Comment out the ChallengeResponseAuthentication line in the sshd_config file.
Location: /etc/ssh/sshd_configb. In the 50-redhat.conf file, set ChallengeResponseAuthentication to yes.
Location: /etc/ssh/sshd_config.d/c. Set GSSAPIAuthentication to no.
-
-
Run the following command:
-
RedHat Linux:
rpm –i SafeNet_Agent_for_PAM_Linux-[your installation build no].rpm
-
Ubuntu:
dpkg -i SafeNet_Agent_for_PAM_Linux-[your installation build no]_amd64.deb
By default, the installation package is installed at the following location:
/usr/local/thales/pam/
-
-
Navigate to the installed directory (/usr/local/thales/pam):
cd /usr/local/thales/pam/
-
Copy the SAS_PAMConf.ini file from the Config folder to /usr/local/ using the following command:
cp config/SAS_PAMConf.ini /usr/local/
-
Restart the sshd service using the following command:
service sshd restart
-
SSH is denied by default because of selinux:
Note
By default, selinux is not available for Ubuntu, so the following edit is not required.
-
To enable the SSH, use the following commands:
sudo audit2allow -a
sudo setsebool nis_enabled=1
-
To make the setting persist after reboot, use the following command:
sudo semanage boolean -m --on nis_enabled
-
Upgrading the Agent
The upgrade from any earlier version is not supported in this release. To use the latest version, uninstall the old agent and install the new version of the agent.
Uninstalling the Agent
Perform the following steps to uninstall the old agent and install the latest version of the agent:
-
Disable the agent as described in Applying Multi-Factor Authentication.
-
Create a backup of the
SAS_PAMConf.ini
file andAgent.bsidkey
files, to be used for configuring the new agent. -
To uninstall the agent, run the following command:
RedHat Linux:
sudo rpm -e SafeNet_Agent_for_PAM_Linux
Ubuntu:
sudo apt-get remove safenet-agent-for-pam-linux
-
Install the latest version of the agent as described in Installing the Agent.
-
Configure the new agent with backup files
SAS_PAMConf.ini
file andAgent.bsidkey
. -
Apply Multi-Factor Authentication (MFA) as described in Applying Multi-Factor Authentication on the new agent.