Home
Contents
CLOSE
AuthLite Interactive Documentation
Quick Start: Install and protect Domain Admins AuthLite Features Supported Tokens Installation Configuration Token Management How to Log In
CLOSE

Support for domain-joined Linux systems

If you have Linux systems joined to the domain with sssd, likewise-open (pbis), or similar, you can enforce 2-factor for AuthLite users when they log on to these systems. They will need a PAM module and some configuration to pass the OTP to AuthLite and then allow the password portion of the logon to work.

Changes needed to SSSD

All of the following items refer to the [domain/...] section in the file /etc/sssd/sssd.conf

Offline caching

Consider setting:

cache_credentials = False

so domain users are prohibited from logging in using cached mode with password-only.

DC Ordering

For 2-factor logons to work correctly, we need the OTP lookup to go to the same DC that gets the Kerberos authentication. 

SSSD and the kerberos features of Linux have a somewhat complicated way of picking a DC.  Making matters worse, some SSSD builds seem to ignore configuration directives for reasons we don't really understand.  Thus, here are two ways of achieving the correct result, in order of preference.

  • Best way: force SSSD and krb5 to use the same DC.

    Add or change the following directives:
    krb5_use_kdcinfo = True
    krb5_kdcinfo_lookahead  = 0
  • Fallback approach: force a strict ordering of which DCs to use.

    Use the "ad_server" setting, to specify an exact order for your DCs to be used, followed by _srv_ to revert to the lookup algorithm if your preferred DCs are unavailable:
    ad_server = the.fqdn.of.server1,fqdn.server2,_srv_

After making changes, restart the sssd service with:

sudo service sssd restart

Prerequisites

Debian-like systems

sudo apt-get install  cmake g++ libpam0g-dev

CentOS-like systems

sudo yum install  cmake make gcc-c++ pam-devel

Build and install pam_authlite module

  • Get the Linux PAM module archive from the Downloads page and expand it with command:
    tar -xzf   <replace this with the actual pam_authlite.tar.gz file name>
  • Go into the build directory:
    cd pam_authlite
  • Create the build system and build the module with:
    cmake  .  ; make
  • If the module builder can't determine how to adjust your PAM settings, it will print one or more warnings to the console.  Please request support if needed.
  • If the build succeeded and produced no errors or warnings, you may now install and activate the module with:
    sudo make install

Removing the PAM module

  • To revert any changes made by running "make install", run the command:
    sudo make uninstall

Configure AuthLite

Add the Linux computer account (or a security group containing the computer account) to the following AuthLite settings:

  • Forced 2-Factor Computers (because Linux generally can't see group policy enforcement, and even when it does it does static group lookups so we can't rely on 2F-tagging)
  • LDAP Permissions (because Linux does an OTP lookup and then throws it away and sends the authentication request without the OTP)
  • Sticky 2-Factor Computers (because SSSD does several authentications in a row without the OTP)

These settings will take 20 minutes to apply (plus time for inter-site replication, if applicable)

Testing 2F Logon

In the build directory, you can run a test program to check whether authentication is working. 

./pam_authlite_test  login  sandbox\\duser2
Start result: 0
Password:  (enter the password followed by dash and OTP here)
Auth result: 0

If the Authentication result is zero (0) then the call succeeded.  If it is seven (7) then the authentication was rejected by the DC.

Note that this test does not confirm 2FA is being used, it just checks if the authentication was allowed by the DC.  You must follow the settings above in section "Configure AuthLite" to enforce 2FA.  To prove it's working, attempt to authenticate with an AuthLite User and just their password, omitting the OTP.