You can use the ​Akamai MFA​ Pluggable Authentication Module (PAM) to enhance the security of your Unix and Linux logins. PAM provides you with a modular system with which you can configure authentication mechanisms for different applications. By installing the ​Akamai MFA​ libpam_akamaimfa PAM, you enable a two-step authentication for remote (SSH) access apps or local logins for Unix-based systems.

See this diagram that presents a conceptual model of the authentication process. For clarity reasons, some traffic flows are not covered.

📘

This authentication process refers to users who are enrolled in ​Akamai MFA​.

1. The user authenticates to the Unix server using, for example, their username/password or private/public key pair.

2. Upon successful authentication, the Unix server, using the ​Akamai​ plugin, establishes a connection over TCP port 443 and redirects the user to ​Akamai MFA​.

3. ​Akamai MFA​ challenges the user with secondary authentication.

4. The user confirms their identity using the selected secondary authentication method.

5. ​Akamai MFA​ redirects the user to the Unix server.

6. The Unix server allows the user to proceed to the protected application.

Before you begin

• This integration communicates with the ​Akamai MFA​ service on TCP port 443. Your firewall must allow outbound connections from your environment to the ​Akamai MFA​ host.
  If your environment has a firewall that restricts outbound connections, ​Akamai​ provides a dedicated hostname (static.mfa.akamai.com) with a permanent list of static IPs. To ensure stable and reliable connectivity, add these IP addresses to your allowlist:

  • IPv4 addresses for static.mfa.akamai.com:

  23.11.42.61
  23.11.43.61
  23.11.38.62
  23.11.39.62
  23.11.40.61
  23.11.41.61
  23.11.32.63
  23.11.33.63
  23.11.36.61
  23.11.37.61
  23.11.34.62
  23.11.35.62

  • IPv6 addresses for static.mfa.akamai.com:

  2600:14e1:28:26::/64
  2600:14e1:2c:26::/64
  2600:14e1:18:27::/64
  2600:14e1:1c:27::/64
  2600:14e1:20:26::/64
  2600:14e1:24:26::/64
  2600:14e1:0:26::/64
  2600:14e1:4:26::/64
  2600:14e1:10:26::/64
  2600:14e1:14:26::/64
  2600:14e1:8:26::/64
  2600:14e1:c:26::/64

  
  

• To enable this integration for users, ensure that user accounts exist on the Linux-based OS server and in ​Akamai MFA​ under the same user ID. Also, make sure that the users are enrolled in ​Akamai MFA​ and their registered mobile devices have been activated.

• You have to copy the libpam_akamaimfa to the Linux server.

• For OS with SELinux, you have to first disable SELinux before deploying the pam_akamai_mfamodule.

• Prior to the installation of the plugin, ensure that your server is correctly synchronized with an internet time source. Otherwise, you may be presented with a time-based error when attempting to use ​Akamai MFA​.

• Before you can use the plugin, you need to install OpenSSL on your system.

Supported platforms

This integration requires OpenSSH 6.2+, SSH protocol 2.

Add Unix PAM integration

Follow this procedure to generate your integration credentials that you will need to provide in the following step to enable the communication between ​Akamai MFA​ and SSH server.

Next, follow the integration instructions for your Linux distribution.

1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Integrations.

2. Click Add integration (+).

3. In Integration Type, select Unix PAM.

4. In Name, enter a unique name for your Unix PAM integration.

5. Click Save and Deploy.
   You’ve just generated your API Host, Integration ID, and Signing Key. This data will be available for you on the integration page. Your integration credentials can be copied anytime and used in the following steps to configure the integration.

📘

Your Signing Key should be kept completely secret like any other password or secret key credential.

Follow instructions for one of the supported Linux distributions.

Integration instructions for CentOS Stream distribution

Follow these steps to set up your Unix PAM integration with CentOS Stream.

Install libpam_akamaimfa prerequisites and pam_akamaimfa

1. Download the plugin for your CentOS Stream version:

2. Launch a terminal as super user.
3. Run the following commands to enable the required repositories and install packages:

dnf install -y dnf-plugins-core
dnf config-manager --set-enabled crb
dnf install autoconf libtool pam-devel openssl-devel gcc make

• With SELinux enabled:
  Shell

  dnf install selinux-policy-devel

4. Copy the downloaded .so file to the PAM security modules directory:

cp libpam_akamaimfa_centos<version>_1.1.0.so /lib64/security/pam_akamaimfa.so
chmod 755 /lib64/security/pam_akamaimfa.so

📘

Replace <version> with your CentOS Stream version number (9 or 10).

5. Create or edit the configuration file at /etc/security/akamaimfa-config.toml using your Unix PAM integration credentials:

[config]

signing_key = "<signing_key>"

app_uuid = "<integration_id>"

host = "<api_host domain with https://prefix>"

log_path = "<full_path_to_your_log_file>"

6. Save and exit.
7. Ensure the log file exists with proper permissions. Default log path is /var/log/akamaimfa.log:

touch /var/log/akamaimfa.log
chmod 640 /var/log/akamaimfa.log

📘

chmod 640 means the owner has read/write access; all other users have no rights.

Configure Akamai MFA linux-based OS PAM

Enable public key authentication

1. Open sshd_config (usually located in /etc/ssh/).
2. Edit the following settings:
   • PubkeyAuthentication yes
   • PasswordAuthentication no
   • Add: AuthenticationMethods publickey,keyboard-interactive

🚧

When changing PAM configuration, keep a root shell open to avoid locking yourself out.

Enable OpenSSH authentication

📘

Supports only OpenSSH 6.2+, SSH protocol 2.

1. Edit sshd_config (in /etc/ssh/):

   • UsePAM yes

   • If ChallengeResponseAuthentication is present, set it to yes

   • If KbdInteractiveAuthentication is present, set it to yes

   📘

   If both directives are present, the first one in the file takes precedence. It is recommended to set both to yes.

   • Uncomment and set UseDNS no

🚧

Keep a root shell open during PAM changes.

2. Save and exit sshd_config.

3. CentOS Stream 9 / 10: Open /etc/ssh/sshd_config.d/50-redhat.conf and comment out the line ChallengeResponseAuthentication no if it is present.

4. Restart the SSH service:

   Shell

   systemctl restart sshd

Modify your PAM configuration

📘

The module path on CentOS Stream is /lib64/security/.

CentOS Stream 9

SSH public key authentication

1. Open /etc/pam.d/sshd.
2. Locate the line auth substack password-auth and comment it out by prefixing it with #. Then add the following lines:

auth  required   pam_env.so
auth  sufficient /lib64/security/pam_akamaimfa.so
auth  requisite  pam_succeed_if.so uid >= 1000 quiet
auth  required   pam_deny.so

2. Save and exit.
3. Restart the SSH service.

System-wide authentication

1. Open /etc/pam.d/system-auth.
2. Locate the line auth sufficient pam_unix.so nullok try_first_pass and comment it out by prefixing it with #. Then add:

auth  requisite  pam_unix.so nullok try_first_pass
auth  sufficient /lib64/security/pam_akamaimfa.so

2. Save and exit.
3. Restart the SSH service.

SUDO MFA

1. Open /etc/pam.d/sudo.
2. Locate the line auth include system-auth and comment it out by prefixing it with #. Then add:

auth  required  /lib64/security/pam_akamaimfa.so

2. Save and exit.

CentOS Stream 10

SSH public key authentication

1. Open /etc/pam.d/sshd.
2. Locate the line auth substack password-auth and comment it out by prefixing it with #. Then add the following lines:

auth  required   pam_env.so
auth  sufficient /lib64/security/pam_akamaimfa.so
auth  requisite  pam_succeed_if.so uid >= 1000 quiet
auth  required   pam_deny.so

2. Save and exit.
3. Restart the SSH service.

System-wide authentication

1. Open /etc/pam.d/system-auth.
2. Locate the line auth sufficient pam_unix.so nullok try_first_pass and comment it out by prefixing it with #. Then add:

auth  requisite  pam_unix.so nullok try_first_pass
auth  sufficient /lib64/security/pam_akamaimfa.so

2. Save and exit.
3. Restart the SSH service.

SUDO MFA

1. Open /etc/pam.d/sudo.
2. Locate the line auth include system-auth and comment it out by prefixing it with #. Then add:

auth  required  /lib64/security/pam_akamaimfa.so

2. Save and exit.

Integration instructions for RHEL-compatible distribution (Rocky Linux)

Follow these steps to set up your Unix PAM integration with RHEL-compatible Linux distributions.

Install libpam_akamaimfa prerequisites and pam_akamaimfa

1. Download the plugin for your Rocky Linux version:

📘

These builds are compatible with RHEL and other RHEL-compatible distributions (AlmaLinux, Oracle Linux, etc.) of the same major version.

2. Launch a terminal as super user.
3. Run the following commands to enable the required repositories and install packages:

• Rocky Linux 8:

  Shell

  dnf install -y dnf-plugins-core epel-release
  dnf config-manager --set-enabled powertools
  dnf install autoconf libtool pam-devel openssl-devel gcc make

• Rocky Linux 9 / 10:

  Shell

  dnf install -y dnf-plugins-core epel-release
  dnf config-manager --set-enabled crb
  dnf install autoconf libtool pam-devel openssl-devel gcc make

• With SELinux enabled:

  Shell

  dnf install selinux-policy-devel

4. Copy the downloaded .so file to the PAM security modules directory:

cp libpam_akamaimfa_rhel<version>_1.1.0.so /lib64/security/pam_akamaimfa.so
chmod 755 /lib64/security/pam_akamaimfa.so

📘

Replace <version> with your Rocky Linux version number (8, 9, or 10).

5. Create or edit the configuration file at /etc/security/akamaimfa-config.toml using your Unix PAM integration credentials:

[config]

signing_key = "<signing_key>"

app_uuid = "<integration_id>"

host = "<api_host domain with https://prefix>"

log_path = "<full_path_to_your_log_file>"

6. Save and exit.
7. Ensure the log file exists with proper permissions. Default log path is /var/log/akamaimfa.log:

touch /var/log/akamaimfa.log
chmod 640 /var/log/akamaimfa.log

📘

chmod 640 means the owner has read/write access; all other users have no rights.

Configure Akamai MFA linux-based OS PAM

Enable public key authentication

1. Open sshd_config (usually located in /etc/ssh/).
2. Edit the following settings:
   • PubkeyAuthentication yes
   • PasswordAuthentication no
   • Add: AuthenticationMethods publickey,keyboard-interactive

🚧

When changing PAM configuration, keep a root shell open to avoid locking yourself out.

Enable OpenSSH authentication

📘

Supports only OpenSSH 6.2+, SSH protocol 2.

1. Edit sshd_config (in /etc/ssh/):

   • UsePAM yes

   • If ChallengeResponseAuthentication is present, set it to yes

   • If KbdInteractiveAuthentication is present, set it to yes

   📘

   If both directives are present, the first one in the file takes precedence. It is recommended to set both to yes.

   • Uncomment and set UseDNS no

🚧

Keep a root shell open during PAM changes.

2. Save and exit sshd_config.

3. Rocky Linux 9 / 10 only: Open /etc/ssh/sshd_config.d/50-redhat.conf and comment out the line ChallengeResponseAuthentication no if it is present.

4. Restart the SSH service:

   Shell

   systemctl restart sshd

Modify your PAM configuration

📘

The module path on RHEL-compatible systems is /lib64/security/.

Rocky Linux 8

SSH public key authentication

1. Open /etc/pam.d/sshd.
2. Locate the line auth substack password-auth and comment it out by prefixing it with #. Then add the following lines:

auth  required   pam_env.so
auth  sufficient /lib64/security/pam_akamaimfa.so
auth  requisite  pam_succeed_if.so uid >= 500 quiet
auth  required   pam_deny.so

2. Save and exit.
3. Restart the SSH service.

System-wide authentication

1. Open /etc/pam.d/system-auth.
2. Locate the line auth sufficient pam_unix.so nullok try_first_pass and comment it out by prefixing it with #. Then add:

auth  requisite  pam_unix.so nullok try_first_pass
auth  sufficient /lib64/security/pam_akamaimfa.so

2. Save and exit.
3. Restart the SSH service.

SUDO MFA

1. Open /etc/pam.d/sudo.
2. Locate the line auth include system-auth and comment it out by prefixing it with #. Then add:

auth  required  /lib64/security/pam_akamaimfa.so

2. Save and exit.

Rocky Linux 9

SSH public key authentication

1. Open /etc/pam.d/sshd.
2. Locate the line auth substack password-auth and comment it out by prefixing it with #. Then add the following lines:

auth  required   pam_env.so
auth  sufficient /lib64/security/pam_akamaimfa.so
auth  requisite  pam_succeed_if.so uid >= 1000 quiet
auth  required   pam_deny.so

2. Save and exit.
3. Restart the SSH service.

System-wide authentication

1. Open /etc/pam.d/system-auth.
2. Locate the line auth sufficient pam_unix.so nullok try_first_pass and comment it out by prefixing it with #. Then add:

auth  requisite  pam_unix.so nullok try_first_pass
auth  sufficient /lib64/security/pam_akamaimfa.so

2. Save and exit.
3. Restart the SSH service.

SUDO MFA

1. Open /etc/pam.d/sudo.
2. Locate the line auth include system-auth and comment it out by prefixing it with #. Then add:

auth  required  /lib64/security/pam_akamaimfa.so

2. Save and exit.

Rocky Linux 10

SSH public key authentication

1. Open /etc/pam.d/sshd.
2. Locate the line auth substack password-auth and comment it out by prefixing it with #. Then add the following lines:

auth  required   pam_env.so
auth  sufficient /lib64/security/pam_akamaimfa.so
auth  requisite  pam_succeed_if.so uid >= 1000 quiet
auth  required   pam_deny.so

2. Save and exit.
3. Restart the SSH service.

System-wide authentication

1. Open /etc/pam.d/system-auth.
2. Locate the line auth sufficient pam_unix.so nullok try_first_pass and comment it out by prefixing it with #. Then add:

auth  requisite  pam_unix.so nullok try_first_pass
auth  sufficient /lib64/security/pam_akamaimfa.so

2. Save and exit.
3. Restart the SSH service.

SUDO MFA

1. Open /etc/pam.d/sudo.
2. Locate the line auth include system-auth and comment it out by prefixing it with #. Then add:

auth  required  /lib64/security/pam_akamaimfa.so

2. Save and exit.

Integration instructions for Ubuntu distribution

Follow these steps to set up your Unix PAM integration with Ubuntu.

Install libpam_akamaimfa prerequisites and pam_akamaimfa

1. Download the plugin for your Ubuntu version:

2. Launch a terminal as super user.
3. Run this command to install the required packages:

apt-get install build-essential autoconf libtool libpam-dev libpam0g-dev libpam0g libssl-dev pkg-config

4. Copy the downloaded .so file to the PAM security modules directory:

cp libpam_akamaimfa_ubuntu<version>_1.1.0.so /lib/x86_64-linux-gnu/security/pam_akamaimfa.so
chmod 755 /lib/x86_64-linux-gnu/security/pam_akamaimfa.so

📘

Replace <version> with your Ubuntu version number (22, 24, or 26).

5. Create or edit the configuration file at /etc/security/akamaimfa-config.toml using your Unix PAM integration credentials:

[config]

signing_key = "<signing_key>"

app_uuid = "<integration_id>"

host = "<api_host domain with https:// prefix>"

log_path = "<full_path_to_your_log_file>"

6. Save and exit.
7. Ensure the log file exists with proper permissions. Default log path is /var/log/akamaimfa.log:

touch /var/log/akamaimfa.log
chmod 640 /var/log/akamaimfa.log

📘

chmod 640 means the owner has read/write access; all other users have no rights.

Configure Akamai MFA linux-based OS PAM

Enable public key authentication

1. Open sshd_config (usually located in /etc/ssh/).
2. Edit the following settings:
   • PubkeyAuthentication yes
   • PasswordAuthentication no
   • Add: AuthenticationMethods publickey,keyboard-interactive

🚧

When changing PAM configuration, keep a root shell open to avoid locking yourself out.

Enable OpenSSH authentication

📘

Supports only OpenSSH 6.2+, SSH protocol 2.

1. Edit sshd_config (in /etc/ssh/) as follows:

   • UsePAM yes

   • If ChallengeResponseAuthentication is present, set it to yes

   • If KbdInteractiveAuthentication is present, set it to yes

   📘

   If both directives are present, the first one in the file takes precedence. It is recommended to set both to yes.

   • Uncomment and set UseDNS no

🚧

Keep a root shell open during PAM changes.

2. Save and exit sshd_config.
3. Restart the SSH service:
   Shell

   systemctl restart sshd

Modify your PAM configuration

📘

The module path on Ubuntu is /lib/x86_64-linux-gnu/security/.

Ubuntu 22.04

SSH public key authentication

1. Open /etc/pam.d/sshd.
2. Locate the line @include common-auth and comment it out by prefixing it with #. Then add the following lines:

auth  sufficient  /lib/x86_64-linux-gnu/security/pam_akamaimfa.so
auth  requisite   pam_deny.so
auth  required    pam_permit.so

2. Save and exit.
3. Restart the SSH service.

System-wide authentication

1. Open /etc/pam.d/common-auth.
2. Locate the line auth [success=1 default=ignore] pam_unix.so nullok_secure and comment it out by prefixing it with #. Then add:

auth  requisite  pam_unix.so nullok_secure
auth  sufficient /lib/x86_64-linux-gnu/security/pam_akamaimfa.so

2. Save and exit.
3. Restart the SSH service.

SUDO MFA

1. Open /etc/pam.d/sudo.
2. Locate the line @include common-auth and comment it out by prefixing it with #. Then add:

auth  required  /lib/x86_64-linux-gnu/security/pam_akamaimfa.so

2. Save and exit.

Ubuntu 24.04

SSH public key authentication

1. Open /etc/pam.d/sshd.
2. Locate the line @include common-auth and comment it out by prefixing it with #. Then add the following lines:

auth  sufficient  /lib/x86_64-linux-gnu/security/pam_akamaimfa.so
auth  requisite   pam_deny.so
auth  required    pam_permit.so

2. Save and exit.
3. Restart the SSH service.

System-wide authentication

1. Open /etc/pam.d/common-auth.
2. Locate the line auth [success=1 default=ignore] pam_unix.so nullok_secure and comment it out by prefixing it with #. Then add:

auth  requisite  pam_unix.so nullok_secure
auth  sufficient /lib/x86_64-linux-gnu/security/pam_akamaimfa.so

2. Save and exit.
3. Restart the SSH service.

SUDO MFA

1. Open /etc/pam.d/sudo.
2. Locate the line @include common-auth and comment it out by prefixing it with #. Then add:

auth  required  /lib/x86_64-linux-gnu/security/pam_akamaimfa.so

2. Save and exit.

Ubuntu 26.04

SSH public key authentication

1. Open /etc/pam.d/sshd.
2. Locate the line @include common-auth and comment it out by prefixing it with #. Then add the following lines:

auth  sufficient  /lib/x86_64-linux-gnu/security/pam_akamaimfa.so
auth  requisite   pam_deny.so
auth  required    pam_permit.so

2. Save and exit.
3. Restart the SSH service.

System-wide authentication

1. Open /etc/pam.d/common-auth.
2. Locate the line auth [success=1 default=ignore] pam_unix.so nullok_secure and comment it out by prefixing it with #. Then add:

auth  requisite  pam_unix.so nullok_secure
auth  sufficient /lib/x86_64-linux-gnu/security/pam_akamaimfa.so

2. Save and exit.
3. Restart the SSH service.

SUDO MFA

1. Open /etc/pam.d/sudo.
2. Locate the line @include common-auth and comment it out by prefixing it with #. Then add:

auth  required  /lib/x86_64-linux-gnu/security/pam_akamaimfa.so

2. Save and exit.