PAM for SSH and SFTP for Red Hat Enterprise Linux (RHEL) 8.x

PAM for SSH and SFTP for Red Hat Enterprise Linux (RHEL) 8.x

Overview

• Provides passwordless MFA access to Linux Red Hat (RHEL) 8.x

• TraitWare PAM module (pam_traitware.8.so) is Red Hat certified software: "Tried, Tested, and Trusted" on Red Hat technology.

• TraitWare (TW) MFA  pam_traitware.8.so requires a TraitWare account and a TraitWare mobile authentication app.

• Ensure all users required to use TraitWare MFA are added to the TraitWare Console and their access to the PAM application is enabled. 

• Can be configured so not all users are required to use TW MFA

For secured SSH and SFTP access, TraitWare PAM has been tested on the following terminals:

• Gnome-terminal

• Xterm

• MAC Terminal

• Windows Powershell (excludes ISE)

• Windows Terminal (recommended to use cmd /u)

• PuTTY (0.71 and up)

• Cygwin Terminal

TABLE OF CONTENTS

• Add Application to TraitWare Console
• Add the TraitWare PAM to RHEL
  • Copy TraitWare PAM file to RHEL 
  • Add libqrencode.so.3
• Complete the TraitWare Configuration
  • Edit the sshd file
  • Modify the sshd_config
  • Allow TraitWare PAM to communicate to external TraitWare Authentication Server
  • Restart sshd Service to Complete Setup
• Optional Configurations
  • Root User Configuration (optional)
  • Remove password-auth (optional)
• Recommended Procedure to Ensure No Lockout
• Log In Test

Add Application to TraitWare Console

• Navigate to admin.traitware.com and Login with TraitWare

• Go to your customer console after logging in

• If you do not already have a TraitWare account, please sign up for a Trial

Select Applications. Click the arrow beside Applications to expand the menu if needed.

• Click + to create a new application

• Select OAuth 2.0

• Name the application

• For the Redirect and Return URIs, put n/a

• Save Changes

**Note: please read the instructions in the window. The client_secret will only be displayed once.

• Securely save displayed Client ID and Client Secret. Select Close. 

• The application will now be under the applications list. It is possible to add more applications or modify existing ones

• Select the created application to navigate to this panel if needed

• Select Provider Credentials to view the Client ID or to regenerate the Client Secret.

• Update user access, navigate to Users in left panel

• Select  + to Create a new User or select an existing user to toggle their access to PAM
  
  

• Select the Applications tab in the user block

Add the TraitWare PAM to RHEL

• Make sure that the machine has at least 4 GB of RAM

• For Redhat (RHEL), use at least version 8.  Note: setup is slightly different between 8 and 9.

• Only the initial admin needs password access, and once the TraitWare PAM Module is configured, password access to the server can be removed by editing the SSHD file.

STOP

**See the 'Recommended Procedure to Ensure No Lockout' section below before starting the configuration.**

Copy TraitWare PAM file to RHEL 

• Obtain the latest pam_traitware.8.so

• Download link: https://traitware-pam-rhel8.s3.amazonaws.com/pam_traitware.8.so.zip

• Unzip the file and copy the .so file to your machine using sftp

• SSH to your machine and run the following commands

From the directory where you copied the .so file (make sure you are in the directory with the file)

$ sudo mv -vZ pam_traitware.8.so /usr/lib64/security

$ cd /usr/lib64/security

$ sudo chmod a+x pam_traitware.8.so

$  sudo chcon --reference /usr/lib64/security/pam_unix.so /usr/lib64/security/pam_traitware.8.so

Add libqrencode.so.3

Get the following needed dependencies

• libpng12.so.0()(64bit) is needed by qrencode-3.2.0-1.el6.rf.x86_64
• libpng12.so.0(PNG12_0)(64bit) is needed by qrencode-3.2.0-1.el6.rf.x86_64

$ sudo  sudo wget https://rpmfind.net/linux/opensuse/distribution/leap/15.3/repo/oss/x86_64/libpng12-0-1.2.57-2.18.x86_64.rpm

$  sudo rpm -i libpng12-0-1.2.57-2.18.x86_64.rpm

$ sudo rpm -i qrencode-3.2.0-1.el6.rf.x86_64.rpm

Complete the TraitWare Configuration

Edit the sshd file

$ sudo nano /etc/pam.d/sshd

Modify the following to include the client_id and client_secret from the application you created earlier in the TraitWare Console.

auth required pam_traitware.so client_id=<yourclientid> client_secret=<yourclientsecret>

Modify the sshd_config

$ sudo nano /etc/ssh/sshd_config

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
#TW set to no
PasswordAuthentication no


# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes


# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes


# GSSAPI options
GSSAPIAuthentication no
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

Example of the/etc/ssh/sshd_config   file

Allow TraitWare PAM to communicate to external TraitWare Authentication Server

$ sudo setsebool -P nis_enabled on

Restart sshd Service to Complete Setup

$ sudo systemctl restart sshd

Optional Configurations

It is suggested you only modify these settings after you have successfully tested the standard configuration. 

Root User Configuration (optional)

$ sudo nano sshd_config.d/01-permitrootlogin.conf 

• PermitRootLogin yes (optional: 'yes' is default.  Set to 'no' to not allow root login - depends on how you want to configure your user access)

Remove password-auth (optional)

Once configuration above is complete you can remove (or comment out with #) certain items that list 'password-auth' from the sshd file.  If you choose to do this, restart the sshd service as explained above.

Recommended Procedure to Ensure No Lockout

It is recommended that a second terminal window be opened and used to test the login to make sure the configuration is complete and correctly set up.  If the login fails, return to another open terminal connection and make any needed corrections.  For testing, you can set the auth for the pam_traitware to be sufficient instead of required which leaves password auth in place as a backup.  If the pam_traitware.8.so configuration is not correct and the initial login fails, a password is required. Once pam_traitware..so is configured correctly and login is verified, you can change sufficient to required. You can also comment out or remove other login methods unless the machine is being configured so that sshd allows alternate methods for different users.

Log In Test

• $ ssh username@host

• Either Scan QR and enter 1 into the terminal, or enter 2 into the terminal for the Push notification (TraitWare PreAuth) method

**Note: To use push authentication, it has to be allowed in the TraitWare Console, and user have to be trained to pre-authenticate to their mobile device. This a patented TraitWare feature that limits unrequested push notifications, which are a known source of data breaches 

• Open the TW app and authenticate  to the SSH Acct 

• Enter the email registered with the TW App in the terminal

• Accept the push notification with the mobile app 

• Click the check mark to login

• For not requiring TraitWare auth for all users edit: /etc/pam.d/sshd to skip the auth required pam_traitware.8.so