Overview
AuthX integrates with Linux SSH & XRDP Logon process to add two-factor authentication (2FA) for SSH and RDP login sessions.
System Requirements
AuthX Authentication for SSH & XRDP for linux machines support the following client and server operating systems.
-
Ubuntu 20.04
AuthX Factor Support
AuthX for SSH & XRDP linux machine supports these factor types for 2FA:
-
Push
-
One-Time Password (OTP)
-
Phone SMS and Call (SSH only)
Windows Application Creation
Pre-Requisites – Make sure to have an active user in the company before adding an application otherwise you will get this error
-
Sign up for an AuthX account here: https://admin.authx.com/signup
-
Navigate to the Applications tab
-
Click Protect Application and select Protect for Windows
-
Provide your inputs on the Application Name, Description, & Policies
-
Save the application.
-
If further configuration is needed later, note the Application details (shown below) of the Windows application from the AuthX portal
Linux Machine Setup
-
On the Linux machine, open the terminals and copy the below mentioned file
-
pam_authx_authenticator.so
-
The pam_authx_authenticator.so is the AuthX authentication module for Linux operating system. It has to be copied to /usr/lib/x86_64-linux-gnu/security/ directory.
-
-
The AuthX configuration has to be done in /etc/authx_config.json file.
Following is an example configuration: (Get the Application details from the above mentioned Windows application creation → Step 6)
{
“application_id”:”XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX”,
“application_key”:”XXXXXXXX-XXX-XXXX-XXXX-XXXXXXXXXXXX”,
“api_host_name”:”XXXXXXXX”,
“api_server_url”:”https://api-xxxxxxxx.authx.com/”,
“ad_suffix”:”@certifyglobal.com“,
“domain_name”:”CERTIFY”,
“public_ip”:”13.82.99.189″
}-
ad_suffix: Suffix for the AD user name. For e.g. For CERTIFY, it is @certifyglobal.com
-
domain_name: AD domain name. For CERTIFY, it is CERTIFY
-
public_ip: Public facing IP of the Linux system.
-
Enabling AuthX Pam authenticator:
-
Open an Editor like vi or nano and update the following file to enable AuthX Pam Authenticator
-
/etc/pam.d/sshd file has to be modified to include AuthX pam authenticator module for SSH sessions:
-
# Standard Un*x password updating.
-
@include common-password
-
auth required pam_authx_authenticator.so nullok
-
auth required pam_permit.so
-
-
Update the following file to enable AuthX Pam Authenticator for XRDP sessions:
-
/etc/pam.d/xrdp-sesman has to be modified for Authx support in RDP sessions:
-
#%PAM-1.0
-
#@include common-auth
-
#@include common-account
-
#@include common-session
-
#@include common-password
-
auth required pam_authx_authenticator.so forward_pass
-
auth required pam_sss.so use_first_pass
-
-
-
Troubleshooting
-
On the linux machine, open the terminals and copy the below mentioned file
-
/var/log/auth.log will contain any logging information from the Authx authenticator module
-
Connecting user RDP
-
From the Windows machine, connect to Linux server
-
Go to Windows Start & Run
-
Open mstsc – v IP address
-
Remote connection initiated
-
Enter your Username & password details
-
In the password field, enter your Linux password followed by OTP / Push
-
Eg: If password is abcd1234 & OTP is 171129, then user should enter “abcd1234171129” (OTP) & “abcd1234push”
-
-
-
After the successful login, user will be redirected to the Linux desktop
-
Connecting user SSH
-
From the Windows command prompt or Linux terminal, enter the following command
-
ssh USERNAME@IPaddress
-
Eg: ssh test@test.com@10.8.1.8
-
-
The user will be prompted for the password, enter the password for the Linux account
-
Now the user will be prompted for the Authentication with AuthX 2 FA – OTP / Push / SMS
-
Enter the OTP / Push / SMS and user will successfully authenticated and the SSH session will be initialized.
-
-