The Defender Pluggable Authentication Module (PAM) is a UNIX/Linux module that authenticates the users of PAM-enabled services (such as ftp, sshd, and su) via Defender. To authenticate users, the Defender PAM module uses the RADIUS protocol and the Defender Security Servers deployed in your environment.
To install the Defender PAM on your UNIX or Linux system, use the appropriate platform-specific files such as .rpm, .pkg, .deb, .depot, or .bff supplied with Defender. In the Defender distribution package, you can find these files in the Setup\Unix PAM folder.
For example, on a Linux x86_64 system, use the Linux RPM program to install the pamdefender-<version>.x86_64.rpm package. In addition to installing the Defender PAM, the package installs PAM Defender configuration scripts into the /opt/quest/libexec/defender directory.
Because all Defender token information is associated with user objects in Active Directory, an Active Directory user must be given a UNIX identity on the local system before the Defender PAM can validate any security tokens for the user. You can create a UNIX identity for an Active Directory user manually or by using a Name Service Switch (NSS) module that provides UNIX identity information directly from Active Directory.
To manually create a UNIX identity for an Active Directory user, modify the /etc/passwd file so there exists a user who has a local user name that exactly matches the value stored in the user ID attribute of your Active Directory user. The user ID attribute is configurable when you create an Access Node. Usually, it is samAccountName, defender ID, or userPrincipalName.
Alternatively, you can use the Defender PAM in conjunction with the NSS module supplied with the product. With this method, Authentication Services provide UNIX identity information to any UNIX-enabled Active Directory user. To use Authentication Services for getting UNIX identity information for Active Directory users, use the vastool join command to join your UNIX/Linux computer to the Active Directory domain. For more information, see the vastool man page.
After installing the PAM Defender package on your UNIX or Linux system, you need to complete the following steps to enable Defender authentication for the users of PAM-enabled services:
You can considerably simplify these steps by using Authentication Services and Group Policy. To find out more about Authentication Services, please visit https://www.oneidentity.com/products/authentication-services/.
You can enable Defender authentication for a PAM-enabled service by adding the Defender PAM to the system PAM configuration for that service. Some UNIX/Linux systems store system PAM configuration in the /etc/pam.conf file, while others keep PAM configuration in a set of files in the /etc/pam.d directory.
To configure the Defender PAM on your system, you can use a PAM configuration utility and script supplied with the Defender PAM. For example, to configure Defender authentication for a single service such as sshd, run the following command:
/opt/quest/libexec/defender/configure_pam_defender.sh sshd add
This script establishes the correct location for the specified service and adds the configuration for the Defender PAM. If you want to configure Defender authentication for more than one service, run the script again, specifying a new service name in place of sshd.
You can use this same script to remove the Defender PAM configuration. To do this, run the following command:
/opt/quest/libexec/defender/configure_pam_defender.sh sshd remove
Before enabling the Defender PAM for the sshd service, ensure that the use of PAM modules and challenge-response authentication are enabled on the ssh server. For example, on OpenSSH servers the /etc/ssh/sshd_config file should contain the following configuration lines:
You will need to restart sshd after making any changes to the sshd_config file.
Any ssh clients used to login to the server should also be configured to allow challenge-response authentication. For example, on OpenSSH clients, the following line should exist either in the system ssh config file (/etc/ssh/ssh_config) or in the user’s ssh config file (~/.ssh/config):
When a user accesses a service that has been configured for Defender authentication, they are prompted for a Defender token passcode, as shown in the example below:
$ ssh jbloggs@unix002
Last login: Wed 14 May 14:03:22 2014 on /dev/pts/2 from unix001
After entering a valid passcode, the user may be prompted for further credentials, depending on other authentication methods in the service’s System PAM configuration, for example, UNIX password authentication or Authentication Services AD authentication.
Please refer to the PAM_DEFENDER (5) man page on your UNIX system for more information on the Defender PAM (use the command man –M /opt/quest/man pam_defender to display the man page).