Local Privileges Account 2FA

Local privileged account can have 2FA enabled which uses an SSH key or Password as the first factor and DID as the second factor. It sends a login request to the wallet to which the endpoint user credential have been shared Read more on how to assign endpoint user credential to a wallet, which when approved authenticates the user into an endpointRead more on Accepting Login request from wallet.

Local users can be configured for having password or SSH keys as the first factor coupled along with DID as the second factor.

Configuring Local Privileged Account for logging via SSH Keys

Generating Keys for SSH login

  1. use the command ssh Key gen

  2. To transfer keys, please use the below command

cat ~/.ssh/id_rsa.pub ssh username@ipaddress “mkdir -p ~/.ssh && cat » ~/.ssh/authorized_keys”

Configuring AuthNull PAM Authenticator for SSH Login

  1. Login into any VM and check out the pam.so file and did.sh script from this github link.

  2. Please move the pam_authenticator.so file into /usr/local/lib/security path (if “security” folder is not available, please create it), and also move the did.sh to / path (root path) (and provide right permissions if required)

  3. Please add the below lines at end of the file for /etc/pam.d/sshd

         auth required /usr/local/lib/security/pam_authenticator.so debug nullok
     auth required pam_permit.so
     Comment #@include common-auth - This will exclude /etc/pam.d/common-auth file

  4. For SSH Key authentication:

    Please add the below lines at the end of the sshd_config file. Path: /etc/ssh/sshd_config

     AuthenticationMethods publickey,keyboard-interactive
 KbdInteractiveAuthentication yes

  5. Please restart the ssh service

     sudo systemctl restart sshd

  6. Now login to the VM using ssh

     ssh username@ipaddress

    a. Please enter the passphrase for privateKey (Make sure the public key is placed inside $HOME/.ssh/authorized_keyspath).

    b. Passwordless 2nd factor Authentication will be initiated→ Please check the logs from /var/log/auth.log file (for ubuntu based), and /var/log/secure (centos based)

  7. Following are the issues that you may encounter while running the .so file from logs:

    a. PAM(header) not found

    1. On the Centos and RHEL -build VMs, install the pam-devel package:

        ```sudo yum install pam-devel```

    2. On all the Debian/Ubuntu -build virtual machines, install libpam0g-dev:

       ```sudo apt-get install libpam0g-dev```

    b. Autoconf not installed/found

     apt-get install autoconf automake gdb git libffi-dev zlib1g-dev libssl-dev (Debian /ubuntu)

    Note: To ignore any user group without using AuthNull’s custom pam authentication, please configure the below in /etc/pam.d/sshd (The below will exclude users in group {group_name} to login without mfa pam)

     auth [success=done default=ignore] pam_succeed_if.so user ingroup group_name