LoginTC Web makes it easy for Unix administrators to add multi-factor to SSH into their Unix systems. If you would like to leverage our LoginTC RADIUS Connector to protect SSH then you may be interested in the: Two factor authentication for SSH using PAM RADIUS module.
Before proceeding, please ensure you have the following:
If you have already created a LoginTC domain for your LoginTC API Connector, then you may skip this section and proceed to Installation.
Domain settings can be modified at any time by navigating to Domains > Your Domain > Settings.
(Tested on CentOS 6.4)
C client dependencies:
sudo yum install git gcc gcc-c++ make curl-devel cmake
Get and install the client:
$ git clone https://github.com/logintc/logintc-c.git
$ pushd logintc-c
$ CFLAGS=-O3 cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr .
$ make
$ sudo make install
$ popd
PAM dependencies:
sudo yum install pam-devel
Get and build LoginTC PAM:
$ git clone https://github.com/logintc/logintc-pam.git
$ pushd logintc-pam
$ CFLAGS=-O3 cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr .
$ make
$ sudo make install
$ popd
Now both the LoginTC C and PAM libraries are installed and ready to configure.
Edit /etc/pam.d/sshd and add the following line:
auth required pam_logintc.so api_key=YOUR_API_KEY domain_id=YOUR_DOMAIN_ID
Property | Explanation |
---|---|
YOUR_API_KEY |
The 64-character organization API key |
YOUR_DOMAIN_ID |
The 40-character domain ID |
The API key is found on the LoginTC Admin Settings page. The Domain ID is found on your domain settings page.
Here is a sample /etc/pam.d/sshd PAM auth configuration:
auth required pam_logintc.so api_key=vZkDw7l6Z3tApwZJXERseKdR0s5RNNqjMxXIwvxpWwJOa9oJXi9b5tdvPyFsqzwJ domain_id=9120580e94f134cb7c9f27cd1e43dbc82980e152 timeout=300
auth required pam_sepermit.so
auth include password-auth
Restart sshd:
$ sudo service sshd restart
Now SSH access into the Unix system will require username / password, as well as LoginTC two-factor authentication.
Test by SSHing directly into the Unix system. The username of Unix user must match the username of the user created in your organization and added to the domain you have configured to authenticate against. You can also test the PAM library installed with your own custom program. For more information please see LoginTC PAM.
There are several options for managing your users within LoginTC: