Applying Multi-Factor Authentication
The following section details adding Multi-Factor Authentication to RedHat Linux and Ubuntu operating systems.
RedHat Linux
To apply the SafeNet 2-FA to different login types, perform one of the following three instruction sets. To disable the agent, revert the described changes.
-
For login console and ssh access formats, change the parameter of the
pam_unix.so
module fromsufficient
torequired
in the /etc/pam.d/password-auth file.Also, add the following content after the pam_unix.so module row:
auth required /usr/local/thales/pam/bin/SASAuth.so
Note
The above setting does not apply for authenticating with a Domain user.
To enable only OTP-based login sessions, comment the pam_unix.so module row:
#auth required pam_unix.so nullok
This action ensures that the user need not provide the system password, and will be granted system access, based on a combination of system username and SafeNet Credentials.
Before (RedHat Linux Example) Connecting to the Serial Console:
After (RedHat Linux Example):
-
For SSH connections, add the following content at the end of the /etc/pam.d/sshd file:
auth required /usr/local/thales/pam/bin/SASAuth.so
Note
The above setting is also applicable when authenticating with a Domain user.
Before (RedHat Linux Example):
After (RedHat Linux Example):
-
For when the user is switched, add the following content at the end of the /etc/pam.d/su file:
auth required /usr/local/thales/pam/bin/SASAuth.so
Note
The above setting is also applicable when authenticating with a Domain user.
Before (RedHat Linux Example):
After (RedHat Linux Example):
Note
To disable the agent, comment the following content (as added above):
#auth required /usr/local/thales/pam/bin/SASAuth.so
Ubuntu
To apply the SafeNet 2-FA to different login types, perform one of the following three instruction sets. To disable the agent, revert the described changes.
Note
Due to a known UI discrepancy on the login console of Ubuntu 22.04, we recommend to apply MFA on command line using SSH mode only.
-
For all the access formats (login console, su, and ssh), change the parameter of the
pam_unix.so
module fromsufficient
torequired
in the /etc/pam.d/common-auth file.Also, add the following content after the pam_unix.so module row:
auth required /usr/local/thales/pam/bin/SASAuth.so
Note
The above setting does not apply for authenticating with a Domain user.
Before (Ubuntu Example):
After (Ubuntu Example):
To enable only OTP-based login sessions, comment the pam_unix.so module row:
#auth required pam_unix.so nullok
This action ensures that the user need not provide the system password, and will be granted system access, based on a combination of system username and SafeNet credentials.
-
For SSH connections, add the following content to the /etc/pam.d/sshd file:
auth required /usr/local/thales/pam/bin/SASAuth.so
Note
The above setting is also applicable when authenticating with a Domain user.
-
For when the user is switched, add the following content to the /etc/pam.d/su file:
auth sufficient /usr/local/thales/pam/bin/SASAuth.so
Note
The above setting is also applicable when authenticating with a Domain user.
Before (Ubuntu Example):
After (Ubuntu Example):
Note
To disable the agent, comment the following content (as added above):
#auth required /usr/local/thales/pam/bin/SASAuth.so