To enable one-time password authentication for Unix
- In the Group Policy Object Editor, navigate to Unix Settings | Quest Defender.
- Double-click the Defender Settings policy in the right-hand pane.
- Click Enable Defender PAM authentication.
-
Configure Defender to require a one-time password for specific login services, or all login services.
A login service is any process that authenticates a user to a Unix host. You configure login services for PAM in the pam.conf file. By default, sshd and ssh are automatically configured since this is the most typical scenario. You can specify additional services. The name of the service must correspond to the service name in PAM.conf. On some platforms the service names may differ, in that case, specify all service names for all platforms where you have installed Defender.
- To prompt for a one-time password for all services, select Require Defender PAM authentication for all services.
- Click OK to save your settings and close the Defender Settings Properties dialog.
Privilege Manager for Unix controls which users are able to gain root access on Unix hosts. It is similar to sudo with more advanced features and functionality. You can use Group Policy to control Privilege Manager for Unix settings on hosts that are also running Safeguard Authentication Services.
One Identity Privilege Manager for Unix uses policy files to define the rules governing which users are able to run which commands as root. The policy files are defined using syntax defined by Privilege Manager for Unix. When the policy files are applied on the Unix host, the Group Policy agent validates the new set of policy rules to ensure that there are no syntax or logical errors in the rules. If the policy rules do not validate, the Group Policy agent logs an error and does not apply the policy files. This ensures that an oversight or other error does not break the security infrastructure already in place.
BEST PRACTICE: As a best practice, always test your policy configuration prior to applying it by means of Group Policy.
If you add a file named pm.conf, this file overrides the default root policy file. The Group Policy agent updates the list of files included from the root policy file to included all of the configured files. If the validation step fails after updating the included files, the policy is not applied.
For more information about the syntax of Privilege Manager for Unix policy files, refer to the documentation included with One Identity Privilege Manager for Unix.
To configure Privilege Manager policy files
- In the Group Policy Object Editor, navigate to Unix Settings | Quest Privilege Manager.
- Double-click Privilege Manager Policy Files.
The Privilege Manager Policy Files Properties dialog opens.
- Click Add to browse for a Privilege Manager policy file. You can browse the local host or a remote host running SSH.
- Once you have added all of the policy files, you can reorder them using the Up and Down buttons.
- You can edit the contents of the policy file directly by either double-clicking the item in the list or clicking Edit File.
Privilege Manager policy files are evaluated when group policy is applied. If a Privilege Manager policy file contains errors it is not applied.
- Click OK to save settings and close the Privilege Manager Policy Files Properties dialog.
