To ensure that a specific Security Key is required to prompt for MFA when authenticating to the strongauth account, the Security Key(s) associated with Administrator(s) must be configured within the strongauth account.
This task must be performed by the Linux strongauth account on the Tellaro appliance.
Requiring the strongauth account to require a Security Key to authenticate
-
Login as the strongauth user into the Tellaro appliance, and start a Terminal window.
-
The following command will generate a FIDO key on the Security Key that is inserted on the appliance. It will prompt for a pin if it has been previously configured. This will generate the key for strongauth user for RPID of strongkey.com (replace this with the relevant RPID) and can be used for the entire cluster.
shell> pamu2fcfg -v -o strongkey.com -i strongkey.com -u strongauthSample Output
-
Copy the result that gets printed out into the console to the clipboard. It should look like this:
strongauth:jRr8NqsS/2h2hKwnlGUXjoBPKb166hVg21NkO1P+r4cpnILkABBoO0d+f83VcSwCcOT/iqOe3rv4fwsPQ/9+OQ==,iy4aAob84KPMn811usgUcZLsn/MXXEtocLsOpLwBgRhxHJXw24+M9f4bAeGBQ097mGtAKz0vqfzQoOQqsg5r5A==,es256,+presence -
In a second terminal, su into the root user.
shell> su - -
Create a file to save all the registered FIDO Keys. Paste the result from step 3 into the newly created fido-keys file.
shell> mkdir /etc/strongkey shell> cd /etc/strongkey shell> vi fido-keys -
To add additional Security Keys, remove the current Security Key in the machine and plug in a different one. Repeat steps 2 and 3 and paste the results of step 3 to the end of the fido-keys file. Remove the username at the beginning of each key (i.e “strongauth”) so thateach new key is only separated by a colon ':'.
Example of the fido-keys file after adding multiple keys:
Notice that the content of the file is one long string with no line breaks. The end of each key is indicated by the string “+presence”, and the colon ‘:’ afterwards indicates the beginning of a new key.
-
Configure PAM to enable the use of Security Keys. There are three files that can be modified based on the use case.
-
/etc/pam.d/sudo - To enable use of FIDO keys for all sudo commands for strongauth user.
-
/etc/pam.d/login – To enable use of FIDO keys for console login in run level 3.
-
/etc/pam.d/gdm-password – To enable use of FIDO keys for Graphical console login (Run level 5).
-
-
Configure FIDO login for sudo access by making the following modifications to /etc/pam.d/sudo file.
Replace the following line: auth include system-auth with the following block of code (Replace strongkey.com origin with the relevant value) #auth include system-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [success=1 default=ignore] pam_succeed_if.so user ingroup mfausers auth sufficient pam_unix.so nullok try_first_pass auth [success=2 default=ignore] pam_succeed_if.so user notingroup mfausers auth requisite pam_unix.so nullok try_first_pass auth sufficient pam_u2f.so authfile=/etc/strongkey/fido-keys debug debug_file=/var/log/pamfido.log cue pinverification=1 origin=strongkey.com auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so # End of StrongKey MFA modificationsNOTE: Even though the lines highlighted in red are shown on three separate lines, this is only due to the width of the page. The lines in redmust be on the same line in the file.
-
Configure FIDO login for console login (Run level 3) access by making the following modifications to /etc/pam.d/login file.
Replace the following line: auth substack system-auth with the following block of code (Replace strongkey.com origin with the relevant value) #auth substack system-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [success=1 default=ignore] pam_succeed_if.so user ingroup mfausers auth sufficient pam_unix.so nullok try_first_pass auth [success=2 default=ignore] pam_succeed_if.so user notingroup mfausers auth requisite pam_unix.so nullok try_first_pass auth sufficient pam_u2f.so authfile=/etc/strongkey/fido-keys debug debug_file=/var/log/pamfido.log cue pinverification=1 origin=strongkey.com auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so # End of StrongKey MFA modificationsNOTE: Even though the lines highlighted in red are shown on three separate lines, this is only due to the width of the page. The lines in redmust be on the same line in the file.
-
Configure FIDO login for Graphical console login (Run level 5) access by making the following modifications to /etc/pam.d/gdm-password file.
Replace the following line: auth include password-auth with the following block of code (Replace strongkey.com origin with the relevant value) #auth include password-auth auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [success=1 default=ignore] pam_succeed_if.so user ingroup mfausers auth sufficient pam_unix.so nullok try_first_pass auth [success=2 default=ignore] pam_succeed_if.so user notingroup mfausers auth requisite pam_unix.so nullok try_first_pass auth sufficient pam_u2f.so authfile=/etc/strongkey/fido-keys debug debug_file=/var/log/pamfido.log cue pinverification=1 origin=strongkey.com auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth required pam_deny.so # End of StrongKey MFA modificationsNOTE: Even though the lines highlighted in red are shown on three separate lines, this is only due to the width of the page. The lines in redmust be on the same line in the file.
-
Do a Runlevel 3 console login and observe that it does not print anything to the pamfido.log file. You must now run these commands to add a SELinux exception to the pamfido.log file for Runlevel 3 login.
ausearch -c 'login' --raw | audit2allow -M my-login' semodule -i my-login.pp