UniOTP PAM Agent
This document details how to install and configure the UniOTP PAM Authentication Agent in the Red Hat Enterprise Linux 5 operating system, and how to use UniOTP's authentication system as an additional factor in user authentication.
Environment : Operating System: Red Hat Enterprise 5
Important: Please note that currently there is no ability to safely test if a user account bound with UniOTP authenticates successfully on Linux after installation and configuration. Backup all important data and proceed diligently.
- 1 Installation
- 2 PAM Agent Configuration
- 3 Testing PAM Authentication Agent
Navigate to the directory where the setup package "pam_secu.tar.gz" is located. In the example screenshot below, the setup package is located in
/tmp/Desktop Type "cd" to navigate to folder, and "tar zxvf" to extract the setup package, as shown below.
Using the "tar" command, the extracted files will be extracted to the same directory as the archive file "pam_secure.tar.gz".
Install the PAM Authentication Agent
To be able to install the PAM Agent, you must be logged in as root. Once logged in as root, in the directory of the extracted file, input "./install" to install the PAM Agent.
The below will appear.
After installation has completed, the system will prompt "Change configuration file now? [y/n]". If you want to change the configuration file now, input y and press enter, otherwise, input n and press enter. Here, input n and press enter, we can change the configuration file later. The following information will be display. Please make sure the configuration file has been configured correctly, before restarting your computer, otherwise it may cause log in failures next time.
Verify PAM Agent Installation
You can check if the PAM agent has been installed successfully, by the following method.
1. Go to
/lib/security to check the pam_secu.so file.
2. Go to
/user/lib to check the libuniotp_agent_c.so file.
3. Go to
/etc to check the secu_pam_agent.conf file.
If all these files can be found in the corresponding directory, the PAM Agent has been installed successfully, and the next step is to configure the PAM Agent.
PAM Agent Configuration
This file contains settings about the system account, mapping of the dynamic password name for the system account, authentication server IP address shared key and authentication server port. For more details, please read the introduction in secu_pam_agent.conf.
The following file will be opened. Add a system user and other corresponding parameters as shown in the picture below.
- [user name]: a valid system account name (example: [root])
- uniotp_account: the mapping account name of dynamic password for [user name]
- authserver: authentication server IP address
- share: shared secret key (obtained from authentication service administrator)
- port: authentication server connection port
- maxwait: the maximum time waiting for authentication server response
Configure the PAM Authentication Agent
The PAM authentication agent configuration is adding the OTP Server PAM authentication agent program to the authentication module service, which is in
Configure Command Line Login Authentication
Open the login file in directory
/etc/pam.d and add "auth required pam_secu.so" in the row.
Save and quit. Now you have finished all PAM agent configurations for command line login authentication. There are five control-flag keywords: required, requisite, sufficient, optional and include.
- required: this indicates that the success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed.
- requisite: like required, however, in the case that such a module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment.
- sufficient: the success of this module is deemed `sufficient' to satisfy the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no previous required module has failed, no more `stacked' modules of this type are invoked. (Note, in this case subsequent required modules are not invoked.). A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded.
- optional: as its name suggests, this control-flag marks the module as not being critical to the success or failure of the user's application for service. In general, Linux-PAM ignores such a module when determining if the module stack will succeed or fail. However, in the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application. One example of this latter case, is when the other modules return something like PAM_IGNORE.
- include: this tells PAM to include all lines of given type from the configuration file specified as an argument to this control. The whole idea is to create few "systemwide" pam configs and include parts of them in application pam configs. pam_secu.so support debug function. If you input debug following pam_secu.so the debug information will be added to the system log file (like: auth sufficient pam_secu.so debug). And you can specify the configuration file by using conf –directory (like:
auth sufficient pam_secu.so conf –/etc/secu_pam_agent.confthe agent will find configuration file from the specified directory, instead of the default one).
Configure Desktop Login Authentication
Open the PAM configuration file for gdm in directory
/etc/pam.d and add "auth required pam_secu.so" in the first row.
Save and quit. Now you have finished all PAM agent configurations for desktop login authentication. Please make sure the configuration file has been configured correctly, before restarting your computer, otherwise it may cause login failures on next boot.
Configure Remote Terminal Login Authentication
Open the sshd file in directory
/etc/pam.d and add "auth sufficient pam_secu.so sshd" in the row.
For remote login authentication configuration, you can only use sufficient. Save and quit. Now you have finished all PAM agent configurations for remote terminal login authentication.
Testing PAM Authentication Agent
Testing Command Line Authentication
Input user name [root] and press enter. Now the system will ask for OTP[PIN]. Just input the dynamic password generated by your OTP device and your PIN following OTP in this line and press enter. In the next Password line, input your static password and press enter. You will login as root, if you see [root@localhost ~]#.
Testing Desktop Login Authentication
After configuring the gdm file, you can login the system by using the GUI, input the user name when the following login interface appear.
Input user name [root], and then the password interface will appear.
Please Input OTP and PIN, and then press enter. If you can log in to the system, you have successfully configured the PAM agent for desktop login authentication.
Testing Remote Login Authentication
We use SecureCRT as the remote login tool. After UniOTP protection is enabled for remote login authentication. You must input OTP+PIN in the password field to log in to the host computer, and click on OK.
Once logged in successfully, the following picture is displayed: