Linux Two Factor Authentication

note

Linux two factor authentication is supported via TRASAGATE PAM (Pluggable Authentication Modules).

TRASAGATEPAM is a PAM module that handle's second factor authentication in *nix systems.

Installation

tip

You may require root privilege while setting up trasaPAM.

caution

Keep a separate ssh connection open with root privilege till whole process finishes so that you can always troubleshoot incase configuration goes wrong.

Download TrasaPAM
Unzip files # unzip TrasaPAM.zip -d destination_folder

Configure

Inside extracted directory, open # vi trasapam.toml and configure with following data:

[trasaPAM]
trasaServerURL = "<address of TRASAGATE server>"
serviceID = "<serviceID(copy from service profile)>"
serviceKey = "<serviceKey(copy from service profile)>"
offlineUsers = "<users to allow in case PAM module cannot contact TRASAGATE server>"
insecureSkipVerify = <boolean value. false by default. set true if TRASAGATE server is using self signed TLS certificate. >

Copy config file trasapam.toml to /etc/trasa/config/trasapam.toml
Copy trasapam.so file to /lib/security/ for debian or /lib64/security/in case of centOS.

Configure SSH

Open /etc/ssh/sshd_config file and make sure UsePam yes and ChallengeResponseAuthentication yes is set.

Make trasaPAM PAM aware

Open /etc/pam.d/sshd
Add auth required trasapam.so for debian or auth required /lib64/security/trasapam.so in case centOS at the end of the file.

Finishing

Restart sshd to reload the pam module: $ sudo systemctl restart sshd

Testing

$ ssh root@test-machine
$ password:
$ Enter your trasaID: 
$ Choose TFA method (enter blank for U2F):

Installation​

Configure​

Configure SSH​

Make trasaPAM PAM aware​

Finishing​

Testing​