Configuration Options for Linux and UNIX Computers

After you have completed the basic steps to enable multi-factor authentication, you might want to customize the configuration to suit your environment or to address specific scenarios. For example, you might want to enable group policies or set configuration parameters if you want to modify the default multi-factor authentication operations.

For more information on setting group policies for multi-factor authentication, please see the Group Policy Guide. For information on setting configuration parameters, see the Configuration and Tuning Reference Guide.

The next sections discuss the most common customization scenarios.

Add Rescue Rights

You should have at least one role with the “rescue” system right for the UNIX and Linux computers in hierarchical zones where you are requiring multi-factor authentication. This system right enables selected users to log in in cases where multi-factor authentication cannot be completed. For example, if a UNIX computer where multi-factor authentication is required is disconnected from the network and cannot access the Delinea Platform, only users with the “rescue” right will be able to log in until the connection to the identity platform is restored.

Configuring Secure Shell (ssh) for Multi-Factor Authentication

If you are planning to require multi-factor authentication for secure shell (ssh) sessions and you want to use a native secure shell package, you should review the settings in the secure shell configuration file (sshd_config) to be sure that the ChallengeResponseAuthentication option is set to yes.

You can edit the file manually or enable the “Allow challenge-response authentication” group policy to automatically configure this setting. You can find this group policy in the Group Policy Management Editor under Computer Configuration > Policies > Delinea Settings > SSH Settings. For more information about adding, enabling, and applying Delinea group policies and the other group policies you can use for secure shell sessions, see the Group Policy Guide.

Enforcing Multi-Factor Authentication for Single Sign-on Login Access

If you use the Delinea OpenSSH package, you can require multi-factor authentication for secure shell connections even for single sign-on access to remote computers. In this scenario, users must respond to the authentication challenges to open the secure shell connection then be silently authenticated to additional services and computers. Note that this scenario is only supported if you are using the Delinea version of the OpenSSH package and not supported for native secure shell packages. To enable multi-factor authentication for single sign-on using secure shell sessions, you must enable and apply the Enable SSO MFA group policy. You can find this group policy in the Group Policy Management Editor under Computer Configuration > Policies > Delinea Settings > SSH Settings. For more information about adding, enabling, and applying Delinea group policies and the other group policies you can use for secure shell sessions, see the Group Policy Guide.

If you are not enabling and applying group policies for Delinea-managed computers, you can manually enforce multi-factor authentication for single sign-on by setting the secure shell configuration parameter SSOMFA to yes in the /etc/centrifydc/sshd/sshd_config file.

If you enable the group policy or set the parameter and auditing is set to required, users who access a Delinea-managed computer using ssh or PuTTY are prompted to respond to the multi-factor authentication challenges before starting the shell session. Securing the shell session with multi-factor authentication prevents unauthorized users from using the secure shell session to connect to remote services and computers.

Require Multi-Factor Authentication for PAM Applications

If you select the “Multi-factor authentication required” system right in a role definition, the PAM applications you add to the role will require users to provide a secondary form of authentication to log in successfully. You define the forms of authentication available and presented to the user in the authentication profile you have configured in the Privileged Access Service using the administrative portal.

Note that some applications do not support multi-factor authentication and users might be denied access to applications that they would otherwise be able to use. For example, if a specific version of an application that you want to use only supports a single layer of authentication—such as a password challenge—users would be prevented from logging on and using the service even if they are assigned to a role with the predefined login-all PAM application right.

If you want to grant access to applications that only support one layer of authentication in roles where you are generally using the “Multi-factor authentication required” system right, you must add those applications to the list of applications for which you want to skip multi-factor authentication. You can update the list of applications for which to skip multi-factor authentication by enabling and modifying the “Specify programs for which multi-factor authentication is ignored” group policy or setting the pam.mfa.program.ignore configuration parameter in the centrifydc.conf file.

Before assigning roles with multi-factor authentication required to users, you should test access to all of the applications you expect users to access to verify they won’t be unexpectedly denied access simply because multi-factor authentication isn’t supported. Because the applications that don’t support multi-factor authentication will depend on the platforms and the versions of the applications you plan to support, testing in your own environment is the only way to determine which applications to add to the pam.mfa.program.ignore configuration parameter.

The most common applications that are known to only support a single password challenge and response for authentication are ignored for multi-factor authentication by default. For example, some versions of vsftpd, java, and httpd do not support multi-factor authentication and are ignored by default.

Additionally, while some platforms support multi-factor authentication for all PAM applications, they may not allow you to require multi-factor authentication for GUI log in. For example, for users running AIX, Solaris, and HP-UX, multi-factor authentication for GUI login is not supported.

Configure Multi-Factor Authentication in Legacy Zones

If you want to configure multi-factor authentication for UNIX and Linux computers in classic zones or in Auto Zone, you must follow different steps than in hierarchical zones. For multi-factor authentication on computers in the “legacy” types of zones, you must either enable and apply group policies or set configuration parameters.

You can find these group policies in the Group Policy Management Editor under Computer Configuration > Policies > Delinea Settings > DirectControl Settings > MFA Settings. For more information about adding, enabling, and applying Delinea group policies, see the Group Policy Guide. For more information about setting configuration parameters, see the Configuration and Tuning Reference Guide.