Install Login for Linux

This topic describes how to install Login for Linux.

Login for Linux is shipped as a self-extracting installation package. The installation process will copy required files to the appropriate directories and create the database with the default configuration.

  1. From the SecureAuth product downloads page, download the Login for Linux .run file.

  2. Ensure that you can execute the .run file.

    $ chmod +x SecureAuthLoginForLinux-21.04.00.run

  3. Add the config.json file to the same folder you copied the installer to.

  4. Open a terminal window then change directory to the path where you copied the installer and the config.json files.

  5. Login as root then run the installer.

    $ sudo ./SecureAuthLoginForLinux-21.04.00.run

  6. You can now configure the operating system for your organization: Debian, Ubuntu, or Red Hat Enterprise Linux.

Configurations for all Linux operating systems

This section describes configurations common to Debian, Ubuntu, and Red Hat Enterprise Linux.

  1. Backup each of the following files now because you will modify them in upcoming steps:

    • /etc/pam.d/ssh

    • /etc/pam.d/su

    • /etc/pam.d/sudo

    • /etc/ssh/sshd_config

  2. Integrate Login for Linux to SSH logins by editing the /etc/ssh/sshd_config SSH daemon configuration file:

    1. Enable the Pluggable Authentication Module (PAM).

      UsePAM yes

    2. Enable ChallengeResponseAuthentication so that it controls end user password authentication.

      ChallengeResponseAuthentication yes

    3. Disable PasswordAuthentication because end user password authentication is controlled by the ChallengeResponseAuthentication setting.

      PasswordAuthentication no

Debian and Ubuntu

The following configuration instructions were tested on Debian version 10 and Ubuntu version 20.04.

  1. Enable the PAM module.

    1. Open the /etc/pam.d/sshd file.

    2. Search for @include common-auth.

    3. Add the following line below it: 

      auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass

  2. Set up Password + 2FA authentication.

    Disable public key authentication because Login for Linux uses the keyboard-interactive scheme, which you will set in the next step.

    Open the /etc/ssh/sshd_config file and verify the following is set:

    ...
PubkeyAuthentication no
AuthenticationMethods keyboard-interactive
...

  3. Set up Public key + 2FA authentication.

    Disable password and ensure that publickey with keyboard-interactive is allowed.

    1. Open the /etc/ssh/sshd_config file and verify the following is set:

      ...
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
...

    2. Open the /etc/ssh/sshd_config file.

    3. Search for and comment out the line, @include common-auth like this: 

      ...
#@include common-auth
auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass
...

  4. Set up Public key only and password + 2FA authentication.

    Ensure that publickey and password with keyboard-interactive are allowed.

    1. Open the /etc/ssh/sshd_config file and verify the following is set:

      ...
PubkeyAuthentication yes
AuthenticationMethods publickey keyboard-interactive
...

    2. Open the /etc/pam.d/sshd file.

    3. Search for @include common-auth, and verify the line is not commented out like this: 

      @include common-auth

    4. To apply the changes, restart the sshd service.

      $ sudo systemctl restart sshd

  5. Complete the su configuration.

    1. Enable the PAM module.

    2. Open the /etc/pam.d/su file.

    3. Search for @include common-auth, and add the following line below it:

      auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass

  6. Complete the sudo configuration.

    1. Enable the PAM module.

    2. Open the /etc/pam.d/sudo file.

    3. Search for @include common-auth, and add the following line below it:

      auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass

You have completed the Debian or Ubuntu configuration. If you want to customize Login for Linux features, like connection timeout, error messages, and more, see Configure Identity Platform and Login for Endpoints.

Red Hat Enterprise Linux

The following configuration instructions were tested on Red Hat Enterprise Linux version 8.

  1. Enable the PAM module.

    1. Open the /etc/pam.d/sshd file.

    2. Search for auth substack password-auth, and add the following line below it:

      auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass

  2. Set up Password + 2FA authentication.

    Disable public key authentication because Login for Linux uses the keyboard-interactive scheme, which you will set in the next step.

    Open the /etc/ssh/sshd_config file and verify the following is set:

    ...
PubkeyAuthentication no
AuthenticationMethods keyboard-interactive
...

  3. Set up Public key + 2FA authentication.

    Disable password and ensure that publickey with keyboard-interactive is allowed.

    1. Open the /etc/ssh/sshd_config file and verify the following is set:

      ...
PubkeyAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
...

    2. Open the /etc/pam.d/sshd file.

    3. Search for and comment out auth substack password-auth like this: 

      ...
#auth substack password-auth
auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass
...

  4. Set up Public key only and password + 2FA authentication.

    Ensure that publickey and password with keyboard-interactive are allowed.

    1. Open the /etc/ssh/sshd_config file and verify the following is set:

      ...
PubkeyAuthentication yes
AuthenticationMethods publickey keyboard-interactive
...

    2. Open the /etc/pam.d/sshd file.

    3. Search for auth substack password-auth, and verify the line is not commented out like this:

      auth substack password-auth

    4. Apply the changes by restarting the sshd service.

      $ sudo systemctl restart sshd

  5. Complete the su configuration.

    1. Enable the PAM module.

    2. Open the /etc/pam.d/su file.

    3. Search for auth substack system-auth, and add the following line below it: 

      auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass

  6. Complete the sudo configuration.

    1. Enable and set up the PAM module.

    2. Open the /etc/pam.d/sudo file.

    3. Search for and replace auth include system-auth with auth substack system-auth.

    4. Add a new line below the line you changed like this:

      ...
auth    substack   system-auth
auth    required   /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass
...

You have completed the Red Hat Enterprise Linux configuration. If you want to customize Login for Linux features, such as connection timeout, error messages, and more, see Configure Identity Platform and Login for Endpoints.

Uninstalling Login for Linux

The following instructions explain how to uninstall Login for Linux. You must first revert the changes you made in the configuration files and then you can run the uninstall command.

Log files are not uninstalled; use them for troubleshooting any issues with the uninstallation. After you have worked through any issues, you can delete the log files.

  1. Revert the changes by using the backups that you saved in Step 1 of Configurations for all Linux operating systems.

    If the uninstaller detects that the configuration files still reference the Login for Linux PAM module, the uninstall process fails.

  2. Run the uninstaller.

    $ sudo ./SecureAuthLoginForLinux-21.04.00.run -- uninstall
In this section: