Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

SafeNet Agent for Pluggable Authentication Module

Applying Multi-Factor Authentication

search

Please Note:

printsuggest an edit

Applying Multi-Factor Authentication

The following section details adding Multi-Factor Authentication to RedHat Linux and Ubuntu operating systems.

copy link to clipboardRedHat Linux

To apply the SafeNet 2-FA to different login types, perform one of the following three instruction sets. To disable the agent, revert the described changes.

  • For login console and ssh access formats, change the parameter of the pam_unix.so module from sufficient to required in the /etc/pam.d/password-auth file.

    Also, add the following content after the pam_unix.so module row:

    auth required /usr/local/thales/pam/bin/SASAuth.so

    note

    Note

    The above setting does not apply for authenticating with a Domain user.

    To enable only OTP-based login sessions, comment the pam_unix.so module row:

    #auth required pam_unix.so nullok

    This action ensures that the user need not provide the system password, and will be granted system access, based on a combination of system username and SafeNet Credentials.

    Before (RedHat Linux Example) Connecting to the Serial Console:

    alt_text

    After (RedHat Linux Example):

    alt_text

  • For SSH connections, add the following content at the end of the /etc/pam.d/sshd file:

    auth required /usr/local/thales/pam/bin/SASAuth.so

    note

    Note

    The above setting is also applicable when authenticating with a Domain user.

    Before (RedHat Linux Example):

    alt_text

    After (RedHat Linux Example):

    alt_text

  • For when the user is switched, add the following content at the end of the /etc/pam.d/su file:

    auth required /usr/local/thales/pam/bin/SASAuth.so

    note

    Note

    The above setting is also applicable when authenticating with a Domain user.

    Before (RedHat Linux Example):

    alt_text

    After (RedHat Linux Example):

    alt_text

    note

    Note

    To disable the agent, comment the following content (as added above): #auth required /usr/local/thales/pam/bin/SASAuth.so

copy link to clipboardUbuntu

To apply the SafeNet 2-FA to different login types, perform one of the following three instruction sets. To disable the agent, revert the described changes.

note

Note

Due to a known UI discrepancy on the login console of Ubuntu 22.04, we recommend to apply MFA on command line using SSH mode only.

  • For all the access formats (login console, su, and ssh), change the parameter of the pam_unix.so module from sufficient to required in the /etc/pam.d/common-auth file.

    Also, add the following content after the pam_unix.so module row:

    auth required /usr/local/thales/pam/bin/SASAuth.so

    note

    Note

    The above setting does not apply for authenticating with a Domain user.

    Before (Ubuntu Example):

    alt_text

    After (Ubuntu Example):

    alt_text

    To enable only OTP-based login sessions, comment the pam_unix.so module row:

    #auth required pam_unix.so nullok

    This action ensures that the user need not provide the system password, and will be granted system access, based on a combination of system username and SafeNet credentials.

  • For SSH connections, add the following content to the /etc/pam.d/sshd file:

    auth required /usr/local/thales/pam/bin/SASAuth.so

    note

    Note

    The above setting is also applicable when authenticating with a Domain user.

  • For when the user is switched, add the following content to the /etc/pam.d/su file:

    auth sufficient /usr/local/thales/pam/bin/SASAuth.so

    note

    Note

    The above setting is also applicable when authenticating with a Domain user.

    Before (Ubuntu Example):

    alt_text

    After (Ubuntu Example):

    alt_text

    note

    Note

    To disable the agent, comment the following content (as added above): #auth required /usr/local/thales/pam/bin/SASAuth.so

On this page