PAM for SSH and SFTP for Red Hat Enterprise Linux (RHEL) 9.x

Overview

• Provides passwordless MFA access to Linux Red Hat (RHEL) 9.x

• TraitWare PAM module (pam_traitware.9.so) is Red Hat certified software: "Tried, Tested, and Trusted" on Red Hat technology.

• TraitWare (TW) MFA  pam_traitware.9.so requires a TraitWare account and a TraitWare mobile authentication app.

• Ensure all users required to use TraitWare MFA are added to the TraitWare Console and their access to the PAM application is enabled. 

• Can be configured so not all users are required to use TW MFA

For secured SSH and SFTP access, TraitWare PAM has been tested on the following terminals:

• Gnome-terminal

• Xterm

• MAC Terminal

• Windows Powershell (excludes ISE)

• Windows Terminal (recommended to use cmd /u)

• PTTY (0.71 and up)

• Cygwin Terminal

TABLE OF CONTENTS

• Add Application to TraitWare Console
• Add the TraitWare PAM to RHEL
  • Copy TraitWare PAM file to RHEL 
  • Add libqrencode.so.4
• Complete the TraitWare Configuration
  • Edit the sshd file
  • Modify both the sshd_config and *.conf files
  • Allow TraitWare PAM to communicate to external TraitWare Authentication Server
  • Restart sshd Service to Complete Setup
• Optional Configurations
  • Root User Configuration (optional)
  • Remove password-auth (optional)
• Recommended Procedure to Ensure No Lockout
• Log In Test

Add Application to TraitWare Console

• Navigate to admin.traitware.com and Login with TraitWare

• If you do not already have a TraitWare account, please sign up for a Trial

• Under Manage, select the desired customer account

• Select Applications. Click the arrow and select Applications

• Click + to create a new application

• Select OAuth 2.0

• Name application, redirect and return URIs, put n/a

• Save Changes

**Note: the Instructions in the window. Once this screen is closed the client_secret is hidden.

• Securely save displayed Client ID and Client Secret. Select OK 
• The application will now be under the applications list. It's possible to add more applications or modify existing ones
  

• If the application created is selected, it's possible to navigate to this panel 

• Select Provider Credentials to view the Client ID or to regenerate the Client Secret.

• Update user access, navigate to Users in left panel

• Select  + to Create User 

• Select an existing user to Toggle their access to PAM
  
  

• Select Applications in the user block

Add the TraitWare PAM to RHEL

• Make sure that the machine has at least 4 GB of RAM
• For Redhat (RHEL), use at least version 8.  Note: setup is slightly different between 8 and 9.  The sshd_config has to be modified in both 8 and 9 to change PasswordAuhentication to no and ChallengeResponse Authentication to yes. For RHEL 9  the “include” files in sshd_config that have these variables have to be modified. See details below for  RHEL 9.
• Only the initial admin needs password access, and once the TraitWare PAM Module is configured, password access to the server can be removed by editing the SSHD file.

STOP

**See the 'Recommended Procedure to Ensure No Lockout' section below before starting the configuration.**

Copy TraitWare PAM file to RHEL 

• Obtain the latest pam_traitware.9.so

• Download link: https://traitware-pam-rhel9.s3.amazonaws.com/pam_traitware.9.so.zip

• Unzip the file and copy the .so file to your machine using sftp

• SSH to your machine and run the following commands

From the directory where you copied the .so file (make sure you are in the directory with the file)

$ sudo mv -vZ pam_traitware.9.so /usr/lib64/security

$ cd /usr/lib64/security

$ sudo chmod a+x pam_traitware.9.so

$  sudo chcon --reference /usr/lib64/security/pam_unix.so /usr/lib64/security/pam_traitware.9.so

Add libqrencode.so.4

$ sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

$ sudo dnf upgrade

$ sudo dnf install qrencode-devel

Complete the TraitWare Configuration

Edit the sshd file

$ sudo nano /etc/pam.d/sshd

Modify the following to include the client_id and client_secret from the application you created earlier in the TraitWare Console.

auth required pam_traitware.so client_id=<yourclientid> client_secret=<yourclientsecret>

Modify both the sshd_config and *.conf files

• The *.conf files are located in the directory /etc/ssh/sshd_config.d
• Note: the *.conf files listed below are examples and the names of the *.conf files may be different on your machine.

$ sudo nano /etc/ssh/sshd_config

• PasswordAuthentication no

• PermitEmptyPasswords no
  

$ sudo nano sshd_config.d/50-redhat.conf

• ChallengeResponseAuthentication yes

• GSSAPIAuthentication no

• GSSAPICleanupCredentials no

• UsePAM yes

• X11Forwarding yes

• PrintMotd no

$ sudo nano sshd_config.d/50-cloud-init.conf

•  PasswordAuthentication no

Allow TraitWare PAM to communicate to external TraitWare Authentication Server

$ sudo setsebool -P nis_enabled on

Restart sshd Service to Complete Setup

$ sudo systemctl restart sshd

Optional Configurations

It is suggested you only modify these settings after you have successfully tested the standard configuration. 

Root User Configuration (optional)

$ sudo nano sshd_config.d/01-permitrootlogin.conf 

• PermitRootLogin yes (optional: 'yes' is default.  Set to 'no' to not allow root login - depends on how you want to configure your user access)

Remove password-auth (optional)

Once configuration above is complete you can remove (or comment out with #) certain items that list 'password-auth' from the sshd file.  If you choose to do this, restart the sshd service as explained above.

Recommended Procedure to Ensure No Lockout

It is recommended that a second terminal window be opened and used to test the login to make sure the configuration is complete and correctly set up.  If the login fails, return to another open terminal connection and make any needed corrections.  For testing, you can set the auth for the pam_traitware to be sufficient instead of required which leaves password auth in place as a backup.  If the pam_traitware.9.so configuration is not correct and the initial login fails, a password is required. Once pam_traitware.9.so is configured correctly and login is verified, you can change sufficient to required. You can also comment out or remove other login methods unless the machine is being configured so that sshd allows alternate methods for different users.

Log In Test

• $ ssh username@host

• Either Scan QR and enter 1 into the terminal, or enter 2 into the terminal for the Push notification (TraitWare PreAuth) method

**Note: To use push authentication, it has to be allowed in the TraitWare Console, and user have to be trained to pre-authenticate to their mobile device. This a patented TraitWare feature that limits unrequested push notifications, which are a known source of data breaches 

• Open the TW app and authenticate  to the SSH Acct 

• Enter the email registered with the TW App in the terminal

• Accept the push notification with the mobile app 

• Click the check mark to login
• For not requiring TraitWare auth for all users edit: /etc/pam.d/sshd to skip the auth required pam_traitware.9.so