Assuming the Linux system is already joined to the domain with Samba, SSSD, or PBIS/Likewise, it be made to accept OTPs and require 2-factor for AuthLite users via approximately the following steps:

Debian-like systems

Install packages and files

  • Install the pam_python library.  On Debian-like systems:
sudo apt install libpam-python
  • Copy the file to the directory /lib/security.

Configure PAM

The PAM configuration needs to change so that the authentication calls before the Active Directory authentication. 

If the PAM configuration is managed by auth-update-pam, you can accomplish this via:

  • Copy the file authlite to the directory /usr/share/pam-configs
  • Run the command:
sudo pam-auth-update
  • Now verify that the file /etc/pam.d/common-auth has the line:
auth  optional

above the other "auth" lines.

If the PAM configuration is managed manually: The goal is that whatever configuration file is being used for your authentication should have a line like:

auth  optional

appear above other "auth" lines.

Next: see "Configure AuthLite" section below.

Redhat/CentOS-like systems

Install pam_python files

There is no pre-packaged pam_python module for CentOS, so it must be built from source

by tar -xzf, going into the src subfolder and saying "make".  

Then copy and to /usr/lib64/security.  If it is a 32-bit machine it would be /usr/lib/security.

Configure PAM

The pam configuration will vary depending on how you have joined to the domain.  In our test lab using SSSD, we modified /etc/pam.d/password-auth directly, adding:

auth   optional forward_pass

above the line

auth   sufficient use_first_pass forward_pass

and add use_first_pass to the line, so it can see the password result from the pam_python module.

Configure AuthLite

Add the linux computer account (or a security group containing the computer account) to the following AuthLite settings:

  • Forced 2-Factor Computers (because linux generally can't see group policy enforcement)
  • LDAP Permissions (because linux does an OTP lookup and then throws it away and sends the authentication request without the OTP)
  • Sticky 2-Factor Computers (because SSSD does several authentications in a row without the OTP)

These settings will take 20 minutes to apply (plus time for inter-site replication, if applicable)

Test authentication

YubiKey: After entering your password, tap the YubiKey button to enter the OTP.  Wait for the green light to come back on, to see that the OTP is finished.  Then hit enter.

OATH: After entering your password, enter a dash (-) and then the current OTP digits for this user.