Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SafeNet Agent for Pluggable Authentication Module

Applying Multi-Factor Authentication

search

Please Note:

Applying Multi-Factor Authentication

The following documentation details adding multi-factor authentication to RedHat Linux and Ubuntu operating systems.

RedHat Linux

To apply the SafeNet MFA to different login types, perform one of the following three instruction sets. To disable SafeNet MFA revert the described changes.

For login console and ssh access formats, change the parameter of the pam_unix.so module from sufficient to required in the /etc/pam.d/password-auth file.

Also, add the following content after the pam_unix.so module row: 

    auth       sufficient     /usr/local/thales/pam/bin/SASAuth.so

To enable only OTP-based login sessions, comment the pam_unix.so module row: 

    #auth     required      pam_unix.so nullok

This action ensures that the user need not provide the system password, and will be granted system access, based on a combination of system username and SafeNet Credentials.

Before (RedHat Linux Example) Connecting to the Serial Console:

alt_text

After (RedHat Linux Example):

alt_text

For SSH connections, add the following content to the end of the /etc/pam.d/sshd file: 

auth    sufficient    /usr/local/thales/pam/bin/SASAuth.so

For when the user is switched, add the following content to the end of the /etc/pam.d/su file: 

auth    required      /usr/local/thales/pam/bin/SASAuth.so

Before (RedHat Linux Example):

alt_text

After (RedHat Linux Example):

alt_text

Ubuntu

To apply the SafeNet MFA to different login types, perform one of the following three instruction sets. To disable SafeNet MFA revert the described changes.

Due to a known UI discrepancy on the login console of Ubuntu 22.04, we recommend to apply MFA on command line using SSH mode.

For all the access formats (login console, su, and ssh), change the parameter of the pam_unix.so module from sufficient to required in the /etc/pam.d/common-auth file.

Also, add the following content after the pam_unix.so module row:

auth    sufficient     /usr/local/thales/pam/bin/SASAuth.so

Before (Ubuntu Example):

alt_text

After (Ubuntu Example):

alt_text

To enable only OTP-based login sessions, comment the pam_unix.so module row:

#auth       required          pam_unix.so nullok

This action ensures that the user need not provide the system password, and will be granted system access, based on a combination of system username and SafeNet credentials.

For SSH connections, add the following content to the /etc/pam.d/sshd file:

auth         required          /usr/local/thales/pam/bin/SASAuth.so

For when the user is switched, add the following content to the /etc/pam.d/su file: 

auth         sufficient         /usr/local/thales/pam/bin/SASAuth.so

Before (Ubuntu Example):

alt_text

After (Ubuntu Example):

alt_text

On this page