Assuming the Linux system is already joined to the domain with Samba, SSSD, or PBIS/Likewise, it be made to accept OTPs and require 2-factor for AuthLite users via approximately the following steps:

Debian-like systems

Install packages and files

  • Install the pam_python library.  On Debian-like systems:
sudo apt install libpam-python
  • Copy the file auth.py to the directory /lib/security.

Configure PAM

The PAM configuration needs to change so that the authentication calls pam_python.so before the Active Directory authentication. 

If the PAM configuration is managed by auth-update-pam, you can accomplish this via:

  • Copy the file authlite to the directory /usr/share/pam-configs
  • Run the command:
sudo pam-auth-update
  • Now verify that the file /etc/pam.d/common-auth has the line:
auth  optional  pam_python.so auth.py

above the other "auth" lines.

If the PAM configuration is managed manually: The goal is that whatever configuration file is being used for your authentication should have a line like:

auth  optional  pam_python.so auth.py

appear above other "auth" lines.

Next: see "Configure AuthLite" section below.

Redhat/CentOS-like systems

Install pam_python files

There is no pre-packaged pam_python module for CentOS, so it must be built from source

  • tar -xzf the .tar.gz file and go into the src subfolder
  • In pam_python.c, move the #include for Python.h above the #include for pam_modules.h

  • "make pam_python.so".  

    Then copy pam_python.so and auth.py to /usr/lib64/security.  If it is a 32-bit machine it would be /usr/lib/security.

Configure PAM

The pam configuration will vary depending on how you have joined to the domain.  In our test lab using SSSD, we modified /etc/pam.d/password-auth directly, adding:

auth   optional   pam_python.so /usr/lib64/auth.py 

above the line for SSSD or Centrify.  Make sure you specify the correct full path to your auth.py script (lib or lib64).

For SSSD, add "use_first_pass" to the pam_sss.so line, so it can see the password result from the pam_python module.

For Centrify, add "try_first_pass" to the pam_centrifydc.so line.

Configure SSSD

In SSSD config, use "ad_server" setting, to specify an exact order for your DCs to be used. This counteracts aggressive load balancing that can cause the OTP to go to one DC but the password to another. Example:

ad_server = the.fqdn.of.server1,fqdn.server2,_srv_

(put _srv_ at the end, like that)

Also set:

cache_credentials = False

After making any changes, bounce SSSD service and whatever logon system is affected by pam config updates (e.g. ssh)

Configure AuthLite

Add the linux computer account (or a security group containing the computer account) to the following AuthLite settings:

  • Forced 2-Factor Computers (because linux generally can't see group policy enforcement)
  • LDAP Permissions (because linux does an OTP lookup and then throws it away and sends the authentication request without the OTP)
  • Sticky 2-Factor Computers (because SSSD does several authentications in a row without the OTP)

These settings will take 20 minutes to apply (plus time for inter-site replication, if applicable)

Test authentication

YubiKey: After entering your password, tap the YubiKey button to enter the OTP.  Wait for the green light to come back on, to see that the OTP is finished.  Then hit enter.

OATH: After entering your password, enter a dash (-) and then the current OTP digits for this user.

Troubleshooting

Look at your system logs in /var/log. They will squawk if pam can't find the pam_python module, the auth.py script or other similar things.