The configuration of the one-time passwords are applied periodically according to a configurable Group Policy refresh interval (by default every 90 minutes).
NOTE: Your machine must already be joined to the domain to force a Group Policy refresh.
To force a Group Policy refresh
-
Log in to the Linux or UNIX machine.
-
At a command prompt, execute the following command as root:
/opt/quest/bin/vgptool apply
The output from this command, when one-time passwords are successfully enabled, look similar to the following example:
root@testmachine:~# vgptool apply
Group Policy Apply - CallType: REFRESH
Updating VGP From Policy
------------------------
[vgp_vgpext.so]
Accumulating Settings from GPOs
-------------------------------
GPO: Defender DEMO CSE: vgp_defender.so
GUID: 1EBC7D87-EFB7-4376-AA1E-3CE5850AC5E5 PTYPE: 786318DB-DE76-42F2-8A57-F1E0C3ACE113
Applying Settings Changes
-------------------------
[vgp_licext.so]
[vgp_vasext.so]
[vgp_scecli.so]
[vgp_sudoext.so]
[vgp_dfc.so]
[vgp_unixext.so]
[vgp_sshcfg.so]
[vgp_samba.so]
[vgp_defender.so]
Quest Defender Policy
Adding Defender authentication module
Current defender.conf (showing server information only)
10.5.37.22:1645
Current pam_radius_acl.conf
*:testuser1
*:testuser2
*:testuser3
[vgp_qpm4u.so]
[vgp_admext.so]
-
Login using the one-time password.
You can configure one-time password information manually. Manual configuration requires a machine running Safeguard Authentication Services that has pam_defender installed. The machine must also be joined to an Active Directory domain. If an access node cannot be found that applies to the machine, no configuration changes are made.
You can configure one-time passwords manually with VASTOOL.
To configure one-time passwords with vastool
-
Log in to the Linux or UNIX machine.
-
At a command prompt, execute the following command as root:
/opt/quest/bin/vastool otp configure radius
The output from this command when one-time passwords are successfully enabled look similar to the following example:
root@testmachine:~vastool otp configure radius
Configuring defender.conf
Server: 10.5.37.22 Port: 1645
Configuring PAM Radius Access Control List
testuser1
testuser2
testuser3
-
To configure pam for a specific service, such as gdm, run the following command as root:
/opt/quest/bin/vastool otp configure pam gdm
NOTE: When successful this command produces no output.
-
Log in using the one-time password.
You can configure the pam_defender module to log debug information to a file.
To configure pam_defender to log debug information
-
Run the following command:
/opt/quest/bin/vastool otp configure trace <path to log file>
This creates the /tmp/pam_def.ini file that the defender pam module uses to determine whether it should log debug information and adds the necessary information to this file to configure full debug.
-
Modify the pam configuration for your system, as follows:
-
Find all lines that specify the pam_defender module.
-
Add the debug option to the end of those lines.