Scribd
Upload
318 views2 pages

Comptia Linuxxk0005 11 6 1 Alternative Authentication Methods in Linux

The document outlines alternative authentication methods in Linux, focusing on Pluggable Authentication Module (PAM) and Multi-Factor Authentication (MFA). It provides step-by-step instructions for configuring Google Authenticator with SSH, connecting to OpenLDAP, and integrating with Active Directory using System Security Services Daemon (SSSD). Key configurations and commands are included for each method to enhance security and user authentication processes.

Uploaded by

Saba Hussien
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
318 views2 pages

Comptia Linuxxk0005 11 6 1 Alternative Authentication Methods in Linux

The document outlines alternative authentication methods in Linux, focusing on Pluggable Authentication Module (PAM) and Multi-Factor Authentication (MFA). It provides step-by-step instructions for configuring Google Authenticator with SSH, connecting to OpenLDAP, and integrating with Active Directory using System Security Services Daemon (SSSD). Key configurations and commands are included for each method to enhance security and user authentication processes.

Uploaded by

Saba Hussien
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Alternative Authentication Methods in Linux

CompTIA Linux+ (XK0-005)

Objectives:

At the end of this episode, I will be able to:

1. Describe authentication mechanisms supported by Linux.

Additional resources used during the episode can be obtained using the download link on the overview episode.

Alternative Authentication Methods in Linux

Pluggable Authentication Module (PAM)


Multi-Factor Authentication (MFA)
Connecting to OpenLDAP and Active Directory

Pluggable Authentication Module (PAM)

Open framework for authentication


Allows adding authentication methods

Biometrics
Time-based One-Time Passwords (TOTP)
Smart Cards
Hardware tokens

Multi-Factor Authentication (MFA)

Prevents unauthorized access


Very useful with SSH
Easy to configure

Configuring Google Authenticator with SSH

1. Install Google authenticator module

sudo apt install libpam-google-authenticator

2. Configure the authenticator

google-authenticator

Time-based: yes
Scan QR code and record emergency keys
[Link]
Update config: yes
Disallow multi-use: yes
Allow 3-code skew: yes
Enable rate-limiting: yes

3. Configure sshd

sudoedit /etc/pam.d/sshd

Disable password auth

Comment out # @include common-auth

Enable Google auth

Add auth required pam_google_authenticator.so

sudoedit /etc/ssh/sshd_config

Enable challenge/response

Change ChallengeResponseAuthentication yes


Add PasswordAuthentication no
Add PubkeyAuthentication yes
Add AuthenticationMethods publickey,keyboard-interactive
Restart SSH

sudo systemctl restart ssh

Connecting a Client to OpenLDAP

OpenLDAP is not supported by default


Name Service LDAP Connection Daemon (NSLCD)

Interfaces OpenLDAP with PAM

Configuring a Client

1. Install required packages

sudo apt install libnss-ldapd libpam-ldapd ldap-utils

1. ldap://[Link]/
2. dc=lab,dc=itpro,dc=tv
3. Select passwd, group, and shadow

2. Enable home directories in PAM

sudoedit /etc/pam.d/common-session

session optional pam_mkhomedir.so skel=/etc/skel umask=077

3. Enable TLS in nslcd

sudoedit /etc/[Link]

ssl start_tls
tls_reqcert allow

4. Reboot

Connecting to an Active Directory Domain

Linux integrates using SSSD

System Security Services Daemon


Allows a Linux server to join an AD domain
[Link]
Replaces the older winbindd

Joining an AD

Registers the Linux server as a "Member Server" in the AD


Allows user authentication lookups
Allows expanding group membership

Configuring a client

1. Install basic tools

sudo apt install sssd-ad sssd-tools realmd adcli

2. Test connection and identify missing packages

sudo realm -v discover [Link]

3. Join the domain

sudo realm join -U administrator@[Link] [Link]

You might also like