MFA Unix PAM
You can use the Akamai MFA Pluggable Authentication Module (PAM) to enhance the security of your Unix and Linux logins. PAM provides you with a modular system with which you can configure authentication mechanisms for different applications. By installing the Akamai MFA libpam_akamaimfa
PAM, you enable a two-step authentication for remote (SSH) access apps or local logins for Unix-based systems.
See this diagram that presents a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.
This authentication process refers to users who are enrolled in Akamai MFA.
-
The user authenticates to the Unix server using, for example, their username/password or private/public key pair.
-
Upon successful authentication, the Unix server, using the Akamai plug-in, establishes a connection over TCP port 443 and redirects the user to Akamai MFA.
-
Akamai MFA challenges the user with secondary authentication.
-
The user confirms their identity using the selected secondary authentication method.
-
Akamai MFA redirects the user to the Unix server.
-
The Unix server allows the user to proceed to the protected application.
Prerequisites
-
This integration communicates with Akamai MFA on TCP port 443. Make sure that your firewall allows outbound connections to the host you specify when you set up the integration. You can achieve this by setting up a firewall policy that allows connections to the appropriate CIDR (Classless Inter-Domain Routing) blocks. The following
csv
file provides the relevant CIDR blocks for the mfa.akamai.com host: Akamai MFA CIDR blocks list. -
To enable this integration for users, ensure that user accounts exist on the Linux-based OS server and in Akamai MFA under the same user ID. Also, make sure that the users are enrolled in Akamai MFA and their registered mobile devices have been activated.
-
You have to copy the
libpam_akamaimfa
to the Linux server. -
For OS with SELinux, you have to first disable SELinux before deploying the
pam_akamai_mfa
module. -
Prior to the installation of the plugin, ensure that your server is correctly synchronized with an internet time source. Otherwise, you may be presented with a time-based error when attempting to use Akamai MFA.
-
Before you can use the plugin, you need to install OpenSSL 1.1 on your system and ensure that
libssl.so.1.1
is present in the/lib/security/
directory.
This Unix PAM module has been tested on Linux (RedHat, CentOS, Debian, Ubuntu).
This integration supports only OpenSSH 6.2+, SSH protocol 2.
Add SSH integration
Follow this procedure to generate your integration credentials that you will need to provide in the following step to enable the communication between Akamai MFA and SSH server.
Next, follow the integration instructions for your Linux distribution.
-
In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.
-
Click Add integration (+).
-
In Integration Type, select SSH.
-
In Name, enter a unique name for your SSH integration.
-
Click Save and Deploy.
You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps to configure the integration.
Your Signing Key should be kept completely secret like any other password or secret key credential.
Follow instructions for one of the supported Linux distributions.
Integration instructions for CentOS distribution
Install libpam_akamaimfa
prerequisites and pam_akamai_mfa
Follow these steps to install the OpenSSL development headers and libraries that are required to enable this integration.
-
Download one of the following libraries:
- For CentOS versions 5, 6, download version 1.0.0 of the plugin
libpam_akamaimfa_centos_redhat7_1.0.0.so
Note that version 1.0.0 will no longer receive updates, including bug fixes or new features. We recommend upgrading to a more recent CentOS version.
-
For CentOS version 7, download version 1.0.1 of the plugin
libpam_akamaimfa_centos_redhat7_1.0.1.so
-
For CentOS versions 8, 9, download version 1.0.1 of the plugin
libpam_akamaimfa_centos_redhat9_1.0.1.so
- For CentOS versions 5, 6, download version 1.0.0 of the plugin
-
Launch the terminal as super user.
-
Execute these commands according to the respective platform. You may need the root-level access to execute those commands.
- For CentOS, execute
yum install autoconf libtool pam-devel openssl-devel
- For CentOS with SELinux enabled, execute
yum install selinux-policy-devel
- For CentOS, execute
-
When the installation completes, check if
/etc/security/akamaimfa-config.toml
file exists in your directory. If the file is not present, create it and edit the/etc/security/akamaimfa-config.toml
file by entering the integration credentials that you generated in the previous step.[config] signing_key = "<signing_key>" app_uuid = "<integration_id>" host = "<api_host domain with https://prefix>" log_path = "<full_path_to_your_log_file>"
-
Save and exit the file.
-
Before using
pam_akamai_mfa
, make sure the logging file exists and has the necessary permission i.e.chmod 640 <log-file-name>
. The logging file depends on thelog_path
specified inakamaimfa-config.toml
. If it's left empty, it defaults to/var/log/akamaimfa.log
.
The
chmod 640 <log-file-name>
permission means that the owner has read and write permissions, and any other user has no rights to the file.
Configure Akamai MFA linux-based OS PAM
Enable public key authentication
If you want to use pam_akamai_mfa
with SSH public key authentication, follow these steps:
-
Open the
sshd_config
file in the text editor. This file is usually located in/etc
or/etc/ssh
. -
Edit your
sshd_config
file to enable the SSH public key authentication for the Akamai MFAlibpam_akamaimfa
:-
Set
PubkeyAuthentication
toyes
-
Set
PasswordAuthentication
tono
-
Add this line to the file:
AuthenticationMethods publickey,keyboard-interactive
See how the updated properties should display in your terminal:
-
When you're introducing changes to your PAM configuration, leave a root shell open. This will prevent you from accidentally locking yourself out.
Enable OpenSSH authentication
If you want to use pam_akamai_mfa
with the OpenSSH ssd
, follow these steps.
This integration supports only OpenSSH 6.2+, SSH protocol 2.
-
Edit your
sshd_config
file to enable the OpenSSHsshd
that is usually located in/etc
or/etc/ssh
. This enables thesshd
process for the Akamai MFAlibpam_akamaimfa
PAM:-
Set
UsePAM
toyes
-
If
ChallengeResponseAuthentication
is present, set it toyes
. -
If
KbdInteractiveAuthentication
is present, set it toyes
.
If both
ChallengeResponseAuthentication
andKbdInteractiveAuthentication
directives are present, the first directive in the file takes precedence. If you leave both in the file, it is recommended that you set them toyes
.- Remove comment sign and set
UseDNS
tono
.
-
When you're introducing changes to your PAM configuration, leave a root shell open. This will prevent you from accidentally locking yourself out.
-
Save and exit the
sshd_config
file. -
If you are configuring MFA Unix PAM on CentOS Stream 9, go to
/etc/ssh/sshd_config.d/50-redhat.conf
and comment out theChallengeResponseAuthentication no
directive. -
Restart the ssh service once you finish the configuration so that all the changes you've made to
sshd
andsshd_config
files take effect.
Modify your PAM configuration
Follow these steps to edit your system's PAM configuration to enable Akamai MFA as the authentication system. Depending on your CentOS distribution, follow these instructions.
Depending on your OS or architecture, the
libpam_akamaimfa_<OS_name>_<version>.so
module may be located in/lib64/security
instead of/lib/security
. If this is the case, specify the full path tolibpam_akamaimfa_<OS_name>_<version>.so
in the PAM configuration file as follows:/lib64/security/libpam_akamaimfa_<OS_name>_<version>.so
. Replace<OS_name>
and<version>
with the OS and version number as seen in the filename of the plugin you downloaded.
CentOS 5
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
-
Comment out
#auth include system-auth
and add the following configuration parameters:auth required pam_env.so auth sufficient libpam_akamaimfa_centos_redhat7_1.0.0.so auth required pam_deny.so
-
Save and exit the
sshd
file. -
Restart the ssh service.
For system-wide authentication, edit the system-auth
file located in /etc/pam.d/system-auth
:
- Comment out
#auth sufficient pam_unix.so nullok try_first_pass
and add the following configuration parameters:auth requisite pam_unix.so nullok try_first_pass auth sufficient libpam_akamaimfa_centos_redhat7_1.0.0.so
- Save and exit the
system-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo
:
- Comment out
#auth include system-auth
and add the following configuration parameter:auth required libpam_akamaimfa_centos_redhat7_1.0.0.so
- Save and exit the
sudo
file.
CentOS 6
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
-
Comment out
#auth include password-auth
and add the following configuration parameters:auth required pam_env.so auth sufficient libpam_akamaimfa_centos_redhat7_1.0.0.so auth required pam_deny.so
-
Save and exit the
sshd
file. -
Restart the ssh service.
For system-wide authentication, edit the system-auth
file located in /etc/pam.d/system-auth
:
-
Comment out
# auth sufficient pam_unix.so nullok try_first_pass
and add the following
configuration parameters:auth requisite pam_unix.so nullok try_first_pass auth sufficient libpam_akamaimfa_centos_redhat7_1.0.0.so
-
Save and exit the
system-auth
file. -
Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo
:
- Comment out
#auth include system-auth
and add the following configuration parameters:auth required libpam_akamaimfa_centos_redhat7_1.0.0.so
- Save and exit the
sudo
file.
CentOS 7
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#auth substack password-auth
and add the following configuration parameters:auth required pam_env.so auth sufficient libpam_akamaimfa_centos_redhat7_1.0.1.so auth required pam_deny.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the system-auth
file located in /etc/pam.d/system-auth
:
- Comment out
#auth sufficient pam_unix.so nullok try_first_pass
and add the following configuration parameters:auth requisite pam_unix.so nullok try_first_pass auth sufficient libpam_akamaimfa_centos_redhat7_1.0.1.so
- Save and exit the
system-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file in etc/pam.d/sudo
.
- Comment out
#auth include system-auth
and add the following configuration parameters:
auth required libpam_akamaimfa_centos_redhat7_1.0.1.so
- Save and exit the
sudo
file.
CentOS 8/9
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#auth substack password-auth
and add the following configuration parameters:auth required pam_env.so auth sufficient libpam_akamaimfa_centos_redhat9_1.0.1.so auth required pam_deny.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the system-auth
file located in /etc/pam.d/system-auth
:
- Comment out
#auth sufficient pam_unix.so nullok try_first_pass
and add the following configuration parameters:auth requisite pam_unix.so nullok try_first_pass auth sufficient libpam_akamaimfa_centos_redhat9_1.0.1.so
- Save and exit the
system-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file in etc/pam.d/sudo
.
- Comment out
#auth include system-auth
and add the following configuration parameters:
auth required libpam_akamaimfa_centos_redhat9_1.0.1.so
- Save and exit the
sudo
file.
Integration instructions for Red Hat distribution
Install libpam_akamaimfa
prerequisites and pam_akamai_mfa
Follow these steps to install the OpenSSL development headers and libraries that are required to enable this integration.
-
Download one of the following libraries:
- For Red Hat versions 5, 6, download version 1.0.0 of the plugin
libpam_akamaimfa_centos_redhat7_1.0.0.so
Note that version 1.0.0 will no longer receive updates, including bug fixes or new features. We recommend upgrading to a more recent Red Hat version.
- For Red Hat version 7, download version 1.0.1 of the plugin
libpam_akamaimfa_centos_redhat7_1.0.1.so
- For Red Hat versions 8, 9, download version 1.0.1 of the plugin
libpam_akamaimfa_centos_redhat9_1.0.1.so
- For Red Hat versions 5, 6, download version 1.0.0 of the plugin
-
Launch the terminal as super user.
-
Execute the below commands according to the respective platform. You may need the root-level access to execute those commands.
- For Red Hat, execute
yum install autoconf libtool pam-devel openssl-devel
- For Red Hat with SELinux enabled, execute
yum install selinux-policy-devel
- For Red Hat, execute
-
When the installation completes, check if
/etc/security/akamaimfa-config.toml
file exists in your directory. If the file is not present, create it and edit the/etc/security/akamaimfa-config.toml
file by entering the integration credentials that you generated in the previous step.[config] signing_key = "<signing_key>" app_uuid = "<integration_id>" host = "<api_host domain with https://prefix>" log_path = "<full_path_to_your_log_file>"
-
Save and exit the file.
-
Before using
pam_akamai_mfa
, make sure the logging file exists and has the necessary permission i.e.chmod 640 <log-file-name>
. The logging file depends on thelog_path
specified inakamaimfa-config.toml
. If it's left empty, it defaults to/var/log/akamaimfa.log
.
The
chmod 640 <log-file-name>
permission means that the owner has read and write permissions, and any other user has no rights to the file.
Configure Akamai MFA linux-based OS PAM
Enable public key authentication
If you want to use pam_akamai_mfa
with SSH public key authentication, follow these steps:
-
Open the
sshd_config
file in the text editor. This file is usually located in/etc
or/etc/ssh
. -
Edit your
sshd_config
file to enable the SSH public key authentication for the Akamai MFAlibpam_akamaimfa
:-
Set
PubkeyAuthentication
toyes
-
Set
PasswordAuthentication
tono
-
Add this line to the file:
AuthenticationMethods publickey,keyboard-interactive
See how the updated properties should display in your terminal:
-
When you're introducing changes to your PAM configuration, leave a root shell open. This will prevent you from accidentally locking yourself out.
Enable OpenSSH authentication
If you want to use pam_akamai_mfa
with the OpenSSH ssd
, follow these steps.
This integration supports only OpenSSH 6.2+, SSH protocol 2.
-
Edit your
sshd_config
file to enable the OpenSSHsshd
that is usually located in/etc
or/etc/ssh
. This enables thesshd
process for the Akamai MFAlibpam_akamaimfa
PAM:-
Set
UsePAM
toyes
-
If
ChallengeResponseAuthentication
is present, set it toyes
. -
If
KbdInteractiveAuthentication
is present, set it toyes
.
If both
ChallengeResponseAuthentication
andKbdInteractiveAuthentication
directives are present, the first directive in the file takes precedence. If you leave both in the file, it is recommended that you set them toyes
.- Remove comment sign and set
UseDNS
tono
.
-
When you're introducing changes to your PAM configuration, leave a root shell open. This will prevent you from accidentally locking yourself out.
-
Save and exit the
sshd_config
file. -
If you are configuring MFA Unix PAM on Red Hat Enterprise Linux 9, go to
/etc/ssh/sshd_config.d/50-redhat.conf
and comment out theChallengeResponseAuthentication no
directive. -
Restart the ssh service once you finish the configuration so that all the changes you've made to
sshd
andsshd_config
files take effect.
Modify your PAM configuration
Follow these steps to edit your system's PAM configuration to enable Akamai MFA MFA as the authentication system. Depending on your Red Hat Linux distribution, follow the below instructions.
Depending on your OS or architecture, the
libpam_akamaimfa_<OS_name>_<version>.so
module may be located in/lib64/security
instead of/lib/security
. If this is the case, specify the full path tolibpam_akamaimfa_<OS_name>_<version>.so
in the PAM configuration file as follows:/lib64/security/libpam_akamaimfa_<OS_name>_<version>.so
. Replace<OS_name>
and<version>
with the OS and version number as seen in the filename of the plugin you downloaded.
Red Hat Enterprise Linux 5
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#auth include system-auth
and add the following configuration parameters:auth required pam_env.so auth sufficient libpam_akamaimfa_centos_redhat7_1.0.0.so auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the system-auth
file located in /etc/pam.d/system-auth
:
- Comment out
# auth sufficient pam_unix.so nullok try_first_pass
and add the following configuration parameters:auth requisite pam_unix.so nullok try_first_pass auth sufficient libpam_akamaimfa_centos_redhat7_1.0.0.so
- Save and exit the
system-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo
:
- Comment out
#auth include system-auth
and add the following configuration parameters:auth required libpam_akamaimfa_centos_redhat7_1.0.0.so
- Save and exit the
sudo
file.
Red Hat Enterprise Linux 6
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#auth include password-auth
and add the following configuration parameters:auth required pam_env.so auth sufficient libpam_akamaimfa_centos_redhat7_1.0.0.so auth required pam_deny.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the system-auth
file located in /etc/pam.d/system-auth
:
- Comment out
#auth sufficient pam_unix.so nullok try_first_pass
and add the following configuration parameters:auth requisite pam_unix.so nullok try_first_pass auth sufficient libpam_akamaimfa_centos_redhat7_1.0.0.so
- Save and exit the
system-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo
:
- Comment out
#auth include system-auth
and add the following configuration parameters:auth required libpam_akamaimfa_centos_redhat7_1.0.0.so
- Save and exit the
sudo
file.
Red Hat Enterprise Linux 7
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#auth substack password-auth
and add the following configuration parameters:auth required pam_env.so auth sufficient libpam_akamaimfa_centos_redhat7_1.0.1.so auth requisite pam_succeed_if.so uid >= 1000 quiet auth required pam_deny.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the system-auth
file located in /etc/pam.d/system-auth
:
- Comment out
#auth sufficient pam_unix.so nullok try_first_pass
and add the following configuration parameters:auth requisite pam_unix.so nullok try_first_pass auth sufficient libpam_akamaimfa_centos_redhat7_1.0.1.so
- Save and exit the
system-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo
:
- Comment out
#auth include system-auth
and add the following configuration parameters:auth required libpam_akamaimfa_centos_redhat7_1.0.1.so
- Save and exit the
sudo
file.
Red Hat Enterprise Linux 8/9
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#auth substack password-auth
and add the following configuration parameters:auth required pam_env.so auth sufficient libpam_akamaimfa_centos_redhat9_1.0.1.so auth requisite pam_succeed_if.so uid >= 1000 quiet auth required pam_deny.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the system-auth
file located in /etc/pam.d/system-auth
:
- Comment out
#auth sufficient pam_unix.so nullok try_first_pass
and add the following configuration parameters:auth requisite pam_unix.so nullok try_first_pass auth sufficient libpam_akamaimfa_centos_redhat9_1.0.1.so
- Save and exit the
system-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo
:
- Comment out
#auth include system-auth
and add the following configuration parameters:auth required libpam_akamaimfa_centos_redhat9_1.0.1.so
- Save and exit the
sudo
file.
Integration instructions for Ubuntu distribution
Install libpam_akamaimfa
prerequisites and pam_akamai_mfa
Follow these steps to install the OpenSSL development headers and libraries that are required to enable this integration.
-
Download one of the following libraries:
- For Ubuntu versions 14, 16, 18, download version 1.0.0 of the plugin
libpam_akamaimfa_ubuntu_1.0.0.so
.
Note that version 1.0.0 will no longer receive updates, including bug fixes or new features. We recommend upgrading to a more recent Ubuntu version.
-
For Ubuntu 20.04, download version 1.0.1 of the plugin
libpam_akamaimfa_ubuntu20_1.0.1.so
. -
For Ubuntu 22.04, download version 1.0.1 of the plugin
libpam_akamaimfa_ubuntu22_1.0.1.so
. -
For Ubuntu 23.04, download version 1.0.1 of the plugin
libpam_akamaimfa_ubuntu23_1.0.1.so
.
- For Ubuntu versions 14, 16, 18, download version 1.0.0 of the plugin
-
Launch the terminal as super user.
-
Execute the below commands according to the respective platform. You may need the root-level access to execute those commands.
- For Debian and Ubuntu, execute
apt-get install build-essential autoconf libtool libpam-dev libpam0g-dev libpam0g libssl-dev
- For Debian and Ubuntu, execute
-
When the installation completes, check if
/etc/security/akamaimfa-config.toml
file exists in your directory. If the file is not present, create it and edit the/etc/security/akamaimfa-config.toml
file by entering the integration credentials that you generated in the previous step.[config] signing_key = "<signing_key>" app_uuid = "<integration_id>" host = "<api_host domain with https://prefix>" log_path = "<full_path_to_your_log_file>"
-
Save and exit the file.
-
Before using
pam_akamai_mfa
, make sure the logging file exists and has the necessary permission i.e.chmod 640 <log-file-name>
. The logging file depends on thelog_path
specified inakamaimfa-config.toml
. If it's left empty, it defaults to/var/log/akamaimfa.log
.
The
chmod 640 <log-file-name>
permission means that the owner has read and write permissions, and any other user has no rights to the file.
Configure Akamai MFA linux-based OS PAM
Enable public key authentication
If you want to use pam_akamai_mfa
with SSH public key authentication, follow the below steps:
-
Open the
sshd_config
file in the text editor. This file is usually located in/etc
or/etc/ssh
. -
Edit your
sshd_config
file to enable the SSH public key authentication for Akamai MFAlibpam_akamaimfa
:-
Set
PubkeyAuthentication
toyes
-
Set
PasswordAuthentication
tono
-
Add this line to the file:
AuthenticationMethods publickey,keyboard-interactive
See how the updated properties should display in your terminal:
-
When you're introducing changes to your PAM configuration, leave a root shell open. This will prevent you from accidentally locking yourself out.
Enable OpenSSH authentication
If you want to use pam_akamai_mfa
with the OpenSSH ssd
, follow the below steps.
This integration supports only OpenSSH 6.2+, SSH protocol 2.
-
Edit your
sshd_config
file to enable the OpenSSHsshd
that is usually located in/etc
or/etc/ssh
. This enables thesshd
process for the Akamai MFAlibpam_akamaimfa
PAM:-
Set
UsePAM
toyes
-
If
ChallengeResponseAuthentication
is present, set it toyes
. -
If
KbdInteractiveAuthentication
is present, set it toyes
.
If both
ChallengeResponseAuthentication
andKbdInteractiveAuthentication
directives are present, the first directive in the file takes precedence. If you leave both in the file, it is recommended that you set them toyes
.- Remove comment sign and set
UseDNS
tono
.
-
When you're introducing changes to your PAM configuration, leave a root shell open. This will prevent you from accidentally locking yourself out.
-
Save and exit the
sshd_config
file. -
Restart the ssh service once you finish the configuration so that all the changes you've made to
sshd
andsshd_config
files take effect.
Modify your PAM configuration
Follow these steps to edit your system's PAM configuration to enable Akamai MFA as the authentication system. Depending on your Ubuntu distribution, follow these instructions.
Depending on your OS or architecture, the
libpam_akamaimfa_<OS_name>_<version>.so
module may be located in/lib64/security
instead of/lib/security
. If this is the case, specify the full path tolibpam_akamaimfa_<OS_name>_<version>.so
in the PAM configuration file as follows:/lib64/security/libpam_akamaimfa_<OS_name>_<version>.so
. Replace<OS_name>
and<version>
with the OS and version number as seen in the filename of the plugin you downloaded.
Ubuntu 14
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#@include common-auth
and add the following configuration parameters:auth sufficient libpam_akamaimfa_ubuntu_1.0.0.so auth requisite pam_deny.so auth required pam_permit.so auth required pam_cap.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the common-auth
file located in /etc/pam.d/common-auth
:
- Comment out
#auth [success=1 default=ignore] pam_unix.so nullok_secure
and add the following configuration parameters:auth requisite pam_unix.so nullok_secure auth sufficient libpam_akamaimfa_ubuntu_1.0.0.so
- Save and exit the
common-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo
:
- Comment out
#@include common-auth
and add the following configuration parameters:auth required libpam_akamaimfa_ubuntu_1.0.0.so
- Save and exit the
sudo
file.
Ubuntu 16/18
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#@include common-auth
and add the following configuration parameters:auth sufficient libpam_akamaimfa_ubuntu_1.0.0.so auth requisite pam_deny.so auth required pam_permit.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the common-auth
file located in /etc/pam.d/common-auth
:
- Comment out
#auth [success=1 default=ignore] pam_unix.so nullok_secure
and add the following configuration parameters:auth requisite pam_unix.so nullok_secure auth sufficient libpam_akamaimfa_ubuntu_1.0.0.so
- Save and exit the
common-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo:
- Comment out
#@include common-auth
and add the following configuration parameters:auth required libpam_akamaimfa_ubuntu_1.0.0.so
- Save and exit the
sudo
file.
Ubuntu 20.04
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#@include common-auth
and add the following configuration parameters:auth sufficient libpam_akamaimfa_ubuntu20_1.0.1.so auth requisite pam_deny.so auth required pam_permit.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the common-auth
file located in /etc/pam.d/common-auth
:
- Comment out
#auth [success=1 default=ignore] pam_unix.so nullok_secure
and add the following configuration parameters:auth requisite pam_unix.so nullok_secure auth sufficient libpam_akamaimfa_ubuntu20_1.0.1.so
- Save and exit the
common-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo:
- Comment out
#@include common-auth
and add the following configuration parameters:auth required libpam_akamaimfa_ubuntu20_1.0.1.so
- Save and exit the
sudo
file.
Ubuntu 22.04
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#@include common-auth
and add the following configuration parameters:auth sufficient libpam_akamaimfa_ubuntu22_1.0.1.so auth requisite pam_deny.so auth required pam_permit.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the common-auth
file located in /etc/pam.d/common-auth
:
- Comment out
#auth [success=1 default=ignore] pam_unix.so nullok_secure
and add the following configuration parameters:auth requisite pam_unix.so nullok_secure auth sufficient libpam_akamaimfa_ubuntu22_1.0.1.so
- Save and exit the
common-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo:
- Comment out
#@include common-auth
and add the following configuration parameters:auth required libpam_akamaimfa_ubuntu22_1.0.1.so
- Save and exit the
sudo
file.
Ubuntu 23.04
For SSH public key authentication, edit the sshd
file located in /etc/pam.d/sshd
:
- Comment out
#@include common-auth
and add the following configuration parameters:auth sufficient libpam_akamaimfa_ubuntu23_1.0.1.so auth requisite pam_deny.so auth required pam_permit.so
- Save and exit the
sshd
file. - Restart the ssh service.
For system-wide authentication, edit the common-auth
file located in /etc/pam.d/common-auth
:
- Comment out
#auth [success=1 default=ignore] pam_unix.so nullok_secure
and add the following configuration parameters:auth requisite pam_unix.so nullok_secure auth sufficient libpam_akamaimfa_ubuntu23_1.0.1.so
- Save and exit the
common-auth
file. - Restart the ssh service.
For SUDO MFA, edit the sudo
file located in /etc/pam.d/sudo:
- Comment out
#@include common-auth
and add the following configuration parameters:auth required libpam_akamaimfa_ubuntu23_1.0.1.so
- Save and exit the
sudo
file.
Updated 11 months ago