Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

SafeNet Agent for Pluggable Authentication Module

Applying Multi-Factor Authentication

search

Please Note:

Applying Multi-Factor Authentication

The following section details adding Multi-Factor Authentication to RedHat Linux and Ubuntu operating systems.

RedHat Linux

To apply the SafeNet 2-FA to different login types, perform one of the following three instruction sets. To disable the agent, revert the described changes.

  • For login console and ssh access formats, change the parameter of the pam_unix.so module from sufficient to required in the /etc/pam.d/password-auth file.

    Also, add the following content after the pam_unix.so module row:

    auth sufficient /usr/local/thales/pam/bin/SASAuth.so

    The above setting does not apply for authenticating with a Domain user.

    To enable only OTP-based login sessions, comment the pam_unix.so module row:

    #auth required pam_unix.so nullok

    This action ensures that the user need not provide the system password, and will be granted system access, based on a combination of system username and SafeNet Credentials.

    Before (RedHat Linux Example) Connecting to the Serial Console:

    alt_text

    After (RedHat Linux Example):

    alt_text

  • For SSH connections, add the following content at the end of the /etc/pam.d/sshd file:

    auth sufficient /usr/local/thales/pam/bin/SASAuth.so

    The above setting is also applicable when authenticating with a Domain user.

  • For when the user is switched, add the following content at the end of the /etc/pam.d/su file:

    auth required /usr/local/thales/pam/bin/SASAuth.so

    The above setting is also applicable when authenticating with a Domain user.

    Before (RedHat Linux Example):

    alt_text

    After (RedHat Linux Example):

    alt_text

    To disable the agent, comment the following content (as added above): #auth required /usr/local/thales/pam/bin/SASAuth.so

Ubuntu

To apply the SafeNet 2-FA to different login types, perform one of the following three instruction sets. To disable the agent, revert the described changes.

Due to a known UI discrepancy on the login console of Ubuntu 22.04, we recommend to apply MFA on command line using SSH mode only.

  • For all the access formats (login console, su, and ssh), change the parameter of the pam_unix.so module from sufficient to required in the /etc/pam.d/common-auth file.

    Also, add the following content after the pam_unix.so module row:

    auth sufficient /usr/local/thales/pam/bin/SASAuth.so

    The above setting does not apply for authenticating with a Domain user.

    Before (Ubuntu Example):

    alt_text

    After (Ubuntu Example):

    alt_text

    To enable only OTP-based login sessions, comment the pam_unix.so module row:

    #auth required pam_unix.so nullok

    This action ensures that the user need not provide the system password, and will be granted system access, based on a combination of system username and SafeNet credentials.

  • For SSH connections, add the following content to the /etc/pam.d/sshd file:

    auth required /usr/local/thales/pam/bin/SASAuth.so

    The above setting is also applicable when authenticating with a Domain user.

  • For when the user is switched, add the following content to the /etc/pam.d/su file:

    auth sufficient /usr/local/thales/pam/bin/SASAuth.so

    The above setting is also applicable when authenticating with a Domain user.

    Before (Ubuntu Example):

    alt_text

    After (Ubuntu Example):

    alt_text

    To disable the agent, comment the following content (as added above): #auth required /usr/local/thales/pam/bin/SASAuth.so

On this page