Configuring Local Privileged Account for logging via Password

Local privileged account can have 2FA enabled which uses an SSH key or Password as the first factor and DID as the second factor. It sends a login request to the wallet to which the endpoint user credential have been shared Read more on how to assign endpoint user credential to a wallet, which when approved authenticates the user into an endpointRead more on Accepting Login request from wallet.

Local users can be configured for having password or SSH keys as the first factor coupled along with DID as the second factor.

Configuring AuthNull’s PAM Authenticator for logging in via Password

  1. Login into any VM and check out the pam.so file and did.sh script.

  2. Navigate to authentication-libpam and run the following commands (Note: Please make sure did.sh script is located under /path) or you can use the this github link to download pam authenticator.

     (a) ./bootstrap.sh
     (b) ./configure
     (c) make
     (d) sudo make install
    
  3. The above step would have generated pam_authenticator.so in this location /usr/local/lib/security/pam_authenticator.so

  4. For Password authentication, Please add the below lines to /etc/pam.d/common-auth

     auth required /usr/local/lib/security/pam_authenticator.so
     auth required pam_permit.so
    
  5. Now login to the VM using su

         su username
    

    i. Please enter the password for user.

    ii. 2nd factor authentication will be initiated → please check / var/log/auth.log

    iii. Once the authentication completes, the user can be logged in.

    iv. In case of failure, the authentication denies.