Uncategorized

Linux SSH & XRDP Logon

Overview

AuthX integrates with Linux SSH & XRDP Logon process to add two-factor authentication (2FA) for SSH and RDP login sessions.

System Requirements

AuthX Authentication for SSH & XRDP for linux machines support the following client and server operating systems.

  • Ubuntu 20.04

AuthX Factor Support

AuthX for SSH & XRDP linux machine supports these factor types for 2FA:

  • Push

  • One-Time Password (OTP)

  • Phone SMS and Call (SSH only)

Windows Application Creation

Pre-Requisites – Make sure to have an active user in the company before adding an application otherwise you will get this error

  1. Sign up for an AuthX account here: https://admin.authx.com/signup

  2. Navigate to the Applications tab

  3. Click Protect Application and select Protect for Windows

     

  4. Provide your inputs on the Application Name, Description, & Policies

  5. Save the application. 

  6. If further configuration is needed later, note the Application details (shown below) of the Windows application from the AuthX portal

Linux Machine Setup

  1. On the Linux machine, open the terminals and copy the below mentioned file

    1. pam_authx_authenticator.so

    2. The pam_authx_authenticator.so is the AuthX authentication module for Linux operating system. It has to be copied to /usr/lib/x86_64-linux-gnu/security/ directory.

  2. The AuthX configuration has to be done in /etc/authx_config.json file.
    Following is an example configuration: (Get the Application details from the above mentioned Windows application creation → Step 6)
    {
    “application_id”:”XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX”,
    “application_key”:”XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX”,
    “api_host_name”:”XXXXXXXX”,
    “api_server_url”:”https://api-xxxxxxxx.authx.com/”,
    ad_suffix”:”@certifyglobal.com“,
    “domain_name”:”CERTIFY”,
    “public_ip”:”13.82.99.189″
    }

    1. ad_suffix: Suffix for the AD user name. For e.g. For CERTIFY, it is @certifyglobal.com

    2. domain_name: AD domain name. For CERTIFY, it is CERTIFY

    3. public_ip: Public facing IP of the Linux system.

Enabling AuthX Pam authenticator:

  1. Open an Editor like vi or nano and update the following file to enable AuthX Pam Authenticator

    1. /etc/pam.d/sshd file has to be modified to include AuthX pam authenticator module for SSH sessions:

      1. # Standard Un*x password updating.

      2. @include common-password

      3. auth required pam_authx_authenticator.so nullok

      4. auth required pam_permit.so

    2. Update the following file to enable AuthX Pam Authenticator for XRDP sessions:

      1. /etc/pam.d/xrdp-sesman has to be modified for Authx support in RDP sessions:

        1. #%PAM-1.0

        2. #@include common-auth

        3. #@include common-account

        4. #@include common-session

        5. #@include common-password

        6. auth required pam_authx_authenticator.so forward_pass

        7. auth required pam_sss.so use_first_pass

Troubleshooting

  1. On the linux machine, open the terminals and copy the below mentioned file

    1. /var/log/auth.log will contain any logging information from the Authx authenticator module

Connecting user RDP

  1. From the Windows machine, connect to Linux server

    1. Go to Windows Start & Run

    2. Open mstsc – v IP address

    3. Remote connection initiated

    4. Enter your Username & password details

      1. In the password field, enter your Linux password followed by OTP / Push

        1. Eg: If password is abcd1234 & OTP is 171129, then user should enter “abcd1234171129” (OTP) & “abcd1234push”

    5. After the successful login, user will be redirected to the Linux desktop

Connecting user SSH

  1. From the Windows command prompt or Linux terminal, enter the following command

    1. ssh USERNAME@IPaddress

      1. Eg: ssh test@test.com@10.8.1.8

    2. The user will be prompted for the password, enter the password for the Linux account

    3. Now the user will be prompted for the Authentication with AuthX 2 FA – OTP / Push / SMS

      1. Enter the OTP / Push / SMS and user will successfully authenticated and the SSH session will be initialized.

Leave a Reply