Installing, Upgrading, and Uninstalling the Agent

This documentation covers installing, upgrading, and uninstalling the SafeNet Agent for Pluggable Authentication Module (PAM).

Installing the Agent

Perform the following steps to install the agent:

1. Perform the following steps for different versions of RHEL:

   RHEL 8.10 (or earlier)

   As a prerequisite, you must install OpenSSL 3.2.2.

   For the following options available in the sshd_config file (at /etc/ssh), perform the following actions:

   • Ensure that the PasswordAuthentication option is enabled.

     PasswordAuthentication yes

   • Enter the following to enable the ChallengeResponseAuthentication option:

     ChallengeResponseAuthentication yes

   • Enter the following to enable the KbdInteractiveAuthentication option:

     KbdInteractiveAuthentication yes

   This setting is only applicable for Ubuntu 22.04.

   

   RHEL 9.4

   Perform the following steps:

   a. Modify SSH Configuration:
   Comment out the ChallengeResponseAuthentication line in the sshd_config file.
   Location: /etc/ssh/sshd_config

   b. In the 50-redhat.conf file, set ChallengeResponseAuthentication to yes.
   Location: /etc/ssh/sshd_config.d/

   c. Set GSSAPIAuthentication to no.

   

2. Run the following command:

   • RedHat Linux:

     rpm –i SafeNet_Agent_for_PAM_Linux-[your installation build no].rpm

   • Ubuntu:

     dpkg -i SafeNet_Agent_for_PAM_Linux-[your installation build no]_amd64.deb

   By default, the installation package is installed at the following location:

   /usr/local/thales/pam/

3. Navigate to the installed directory (/usr/local/thales/pam):

   cd /usr/local/thales/pam/

4. Copy the SAS_PAMConf.ini file from the Config folder to /usr/local/ using the following command:

   cp config/SAS_PAMConf.ini /usr/local/

5. Restart the sshd service using the following command:

   service sshd restart

6. SSH is denied by default because of selinux:

   By default, selinux is not available for Ubuntu, so the following edit is not required.

   • To enable the SSH, use the following commands:

     sudo audit2allow -a

     sudo setsebool nis_enabled=1

   • To make the setting persist after reboot, use the following command:

     sudo semanage boolean -m --on nis_enabled

Upgrading the Agent

The upgrade from any earlier version is not supported in this release. To use the latest version, uninstall the old agent and install the new version of the agent.

Uninstalling the Agent

Perform the following steps to uninstall the old agent and install the latest version of the agent:

1. Disable the agent as described in Applying Multi-Factor Authentication.

2. Create a backup of the SAS_PAMConf.ini file and Agent.bsidkey files, to be used for configuring the new agent.

3. To uninstall the agent, run the following command:

   RedHat Linux: sudo rpm -e SafeNet_Agent_for_PAM_Linux

   Ubuntu: sudo apt-get remove safenet-agent-for-pam-linux

4. Install the latest version of the agent as described in Installing the Agent.

5. Configure the new agent with backup files SAS_PAMConf.ini file and Agent.bsidkey.

6. Apply Multi-Factor Authentication (MFA) as described in Applying Multi-Factor Authentication on the new agent.