Skip to main content

Install Login for Linux

Updated December 23, 2022

This topic describes how to install Login for Linux product on several versions of Linux.

Login for Linux is shipped as a self-extracting installation package. The installation process will copy required files to the appropriate directories and create the database with the default configuration.

  1. From the SecureAuth product downloads page, download the Login for Linux .run file.

  2. Ensure that you can execute the .run file.

    $ chmod +x SecureAuthLoginForLinux-22.12.00.run
  3. Add the config.json file to the same folder to which you copied the installer.

  4. Open a terminal window then change the directory to the path where you copied the installer and the config.json files.

  5. Login as root then run the installer.

    $ sudo ./SecureAuthLoginForLinux-22.12.00.run
  6. You can now configure the version of the Linux operating system appropriate for your organization: Debian, Ubuntu, or Red Hat Enterprise Linux.

Linux operating system versions configuration

The following subsections describe how to enable SecureAuth Pluggable Authentication Module (PAM) on the supported Linux distributions for Red Hat Enterprise Linux, Debian, and Ubuntu.

Caution

We recommend that you leave another root shell while setting up this configuration in the Linux operating system. This prevents administrator lockouts before completing system testing.

The installer will automatically back up the following files:

  • /etc/pam.d/sshd

  • /etc/pam.d/su

  • /etc/pam.d/sudo

  • /etc/ssh/sshd_config

If you make your own backups, the preceding four files are the ones modified in the following configuration steps.

Red Hat Enterprise Linux (RHEL)

The following configuration instructions were tested on Red Hat Enterprise Linux versions 8 and 9.

We'll cover the following configurations:

  • ssh connections

  • su authentication

  • sudo authentication

Do the following on a sudo shell.

  1. To enable the Pluggable Authentication Module (PAM), open the /etc/pam.d/sshd file.

  2. Search for auth substack password-auth. Then, add the following line below it:

    auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass
  3. To integrate Login for Linux into SSH logins, edit the /etc/ssh/sshd_config SSH daemon configuration file.

  4. Next, to enable PAM, add the following key:

    UsePAM yes

    Select the SSH authentication method you require from the following configuration options:

  5. Apply the changes by restarting the sshd service using this command:

    $ sudo systemctl restart sshd
  6. Test your configuration by running an ssh connection to the server where you just set up Login for Linux.

    A successful ssh configuration test should look like this example:

    login_for_linux_ssh_test_example_new.png

Do the following on a sudo shell.

  1. To enable the Pluggable Authentication Module (PAM), open the /etc/pam.d/su file.

  2. Search for auth substack system-auth. Then, add the following line below it:

    auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass
    
  3. Test your configuration by running a su connection to the server where you just set up Login for Linux.

    A successful su configuration test should look like this example:

    login_for_linux_su_test_example_new.png

Do the following on a sudo shell.

  1. To enable the Pluggable Authentication Module (PAM), open the /etc/pam.d/sudo file.

  2. Search for the following line:

    auth include system-auth
    
  3. Replace it with this line:

    auth   substack     system-auth
    
  4. Below the line you just changed, add this new line, auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass. Like this example:

    ...
    auth   substack     system-auth
    auth   required     /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass
    ...
    
  5. Test your configuration by running a sudo connection test to the server where you just set up Login for Linux.

    A successful sudo configuration test should look like this example:

    login_for_linux_sudo_test_example_new.png

You have completed the Red Hat Enterprise Linux configuration. If you need to customize Login for Linux features - such as connection timeout and error messages - see Configure Identity Platform and Login for Endpoints.

Debian and Ubuntu

The following configuration instructions were tested on Debian version 10 and Ubuntu versions 20.04 and 22.04.

We'll cover the following configurations:

  • ssh connections

  • su authentication

  • sudo authentication

Do the following on a sudo shell.

  1. To enable the Pluggable Authentication Module (PAM), open the /etc/pam.d/sshd file.

  2. Search for the line @include common-auth.

  3. Add the following line below it:

    auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass
  4. To integrate Login for Linux into SSH logins, edit the /etc/ssh/sshd_config SSH daemon configuration file.

  5. Next, to enable PAM, add the following key:

    UsePAM yes
    

    Select the SSH authentication method you require from the following configuration options:

  6. Apply the changes by restarting the sshd service using this command:

    $ sudo systemctl restart sshd
  7. Test your configuration by running an ssh connection to the server where you just set up Login for Linux.

    A successful ssh configuration test should look like this example:

    login_for_linux_ssh_test_2.png

Do the following on a sudo shell.

  1. To enable the Pluggable Authentication Module (PAM), open the /etc/pam.d/su file.

  2. Search for @include common-auth. Then, add the following line below it:

    auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass
    
  3. Test your configuration by running a su connection to the server where you just set up Login for Linux.

    A successful su configuration test should look like this example:

    login_for_linux_su_test_2.png

Do the following on a sudo shell.

  1. To enable the Pluggable Authentication Module (PAM), open the /etc/pam.d/sudo file.

  2. Search for @include common-auth. Then, add the following line below it:

    auth required /usr/local/lib/pam/pam_sa_authenticator.so try_first_pass
    
  3. Test your configuration by running a sudo connection test to the server where you just set up Login for Linux.

    A successful sudo configuration test should look like this example:

    login_for_linux_sudo_test_2.png

You have completed the Debian or Ubuntu configuration. If you want to customize Login for Linux features, such as connection timeout and error messages, see Configure Identity Platform and Login for Endpoints.

Uninstalling Login for Linux

The following instructions explain how to uninstall Login for Linux. You must first revert the changes you made in the configuration files and then you can run the uninstall command.

Log files are not uninstalled; use them for troubleshooting any issues with the uninstallation. After you have worked through any issues, you can delete the log files.

  1. Revert the changes by using the backups that you saved in Step 1 of Linux operating system versions configuration.

    If the uninstaller detects that the configuration files still reference the Login for Linux PAM module, the uninstall process fails.

  2. Run the uninstaller using this command:

    $ sudo ./SecureAuthLoginForLinux-22.06.00.run -- uninstall