Support for domain-joined Linux systems
If you have Linux systems joined to the domain with sssd, likewise-open (pbis), or similar, you can enforce 2-factor for AuthLite users when they log on to these systems. They will need a PAM module and some configuration to pass the OTP to AuthLite and then allow the password portion of the logon to work.
Changes needed to SSSD
All of the following items refer to the [domain/...] section in the file /etc/sssd/sssd.conf
cache_credentials = False
so domain users are prohibited from logging in using cached mode with password-only.
For 2-factor logons to work correctly, we need the OTP lookup to go to the same DC that gets the Kerberos authentication.
SSSD and the kerberos features of Linux have a somewhat complicated way of picking a DC. Making matters worse, some SSSD builds seem to ignore configuration directives for reasons we don't really understand. Thus, here are two ways of achieving the correct result, in order of preference.
Best way: force SSSD and krb5 to use the same DC.Add or change the following directives:
krb5_use_kdcinfo = True
krb5_kdcinfo_lookahead = 0
Fallback approach: force a strict ordering of which DCs to use.Use the "ad_server" setting, to specify an exact order for your DCs to be used, followed by _srv_ to revert to the lookup algorithm if your preferred DCs are unavailable:
ad_server = the.fqdn.of.server1,fqdn.server2,_srv_
After making changes, restart the sssd service with:
sudo service sssd restart
sudo apt-get install cmake g++ libpam0g-dev
sudo yum install cmake make gcc-c++ pam-devel
Build and install pam_authlite module
Get the Linux PAM module archive from the Downloads page and expand it with command:
tar -xzf <replace this with the actual pam_authlite.tar.gz file name>
Go into the build directory:
Create the build system and build the module with:
cmake . ; make
- If the module builder can't determine how to adjust your PAM settings, it will print one or more warnings to the console. Please request support if needed.
If the build succeeded and produced no errors or warnings, you may now install and activate the module with:
sudo make install
Removing the PAM module
To revert any changes made by running "make install", run the command:
sudo make uninstall
Add the Linux computer account (or a security group containing the computer account) to the following AuthLite settings:
- Forced 2-Factor Computers (because Linux generally can't see group policy enforcement, and even when it does it does static group lookups so we can't rely on 2F-tagging)
- LDAP Permissions (because Linux does an OTP lookup and then throws it away and sends the authentication request without the OTP)
- Sticky 2-Factor Computers (because SSSD does several authentications in a row without the OTP)
These settings will take 20 minutes to apply (plus time for inter-site replication, if applicable)
Testing 2F Logon
In the build directory, you can run a test program to check whether authentication is working.
./pam_authlite_test login sandbox\\duser2
Start result: 0
Password: (enter the password followed by dash and OTP here)
Auth result: 0
If the Authentication result is zero (0) then the call succeeded. If it is seven (7) then the authentication was rejected by the DC.
Note that this test does not confirm 2FA is being used, it just checks if the authentication was allowed by the DC. You must perform the settings above to enforce 2FA. To prove it's working, attempt to authenticate with an AuthLite User and just their password, omitting the OTP.