idQ PAM for Ubuntu connector installation guide.

This section describes how to install idQ PAM for Ubuntu onto a Ubuntu server including the configuration of the idQ PAM for Ubuntu connector, the Ubuntu server, and idQ Enterprise OAuth credentials.

Once installed, idQ PAM for Ubuntu will enable users to use the idQ push notification as the second authentication factor when logging in to a remote Ubuntu server.

Target Audience

Linux IT Administrator responsible for the deployment of idQ PAM for Ubuntu.

Required Privileges

Linux Server Admin/Root privileges

Deployment Checklist

 Deployment TaskDescription
1Requirement PreparationEnsure Server Requirements are met for the deployment of the idQ PAM for Ubuntu connector
2System PreparationComplete System Configuration worksheet
3Network PreparationComplete Network Configuration worksheet
4Prepare Network Names and Firewall rulesEnsure firewall rules are in place and DNS servers are defined on Linux servers
5Download ConnectorDownload the installer file for idQ PAM for Ubuntu connector
6Obtain OAuth credentialsRegistration of your application within an idQ Enterprise organization to obtain the OAuth 2.0 client credentials. 
7InstallationDeploy idQ PAM
8Configure idQ PAM for Ubuntu

Configure specific user accounts to use idQ PAM for Ubuntu

9Map user account to idQ Enterprise Trusted DeviceMap an user account to a Trusted Device for idQ push notification as the second authentication factor

System Requirements

Ubuntu Server Requirements 

Hardware Requirements

  • Hardware capable of running Ubuntu 14.04LTS or Ubuntu 16.04LTS.

Software Requirements

  • Existing Ubuntu 14.04LTS or Ubuntu 16.04LTS
  • OpenSSH

Ports Required to be Opened Through Firewall 

External port for allowing HTTPS access from Linux server to idQ Enterprise: outbound/TCP default 443  <your organization hostname>.idquanta.com

Configuration Worksheets

 

It is HIGHLY RECOMMENDED that you fill out the Configuration Worksheets to gather information that is required to configure idQ PAM for Ubuntu during the installation process.  

Print out the worksheets and consult your network administrator to fill in the appropriate configuration values.

System Configuration 

NameValueDescription

idQ Enterprise Server information

The following configuration values are provided by inBay Technologies when you register your application with idQ Enterprise platform.

SERVERNAME

<your organization hostname>.idquanta.com

The fully qualified domain name for the idQ Enterprise Cloud Service

SERVERPORT

443

idQ Server Port

 

Application Information

The following are OAuth 2.0 client credentials. When you register your application within your idQ Enterprise organization, these configuration values are provided by inBay Technologies.
OAuth Endpoint
Your endpoint as specified in your idQ Enterprise organization

Client ID

 

Your idQ PAM Client ID

Client Secret

 

Your idQ PAM Client Secret

Callback URL

 

Your idQ PAM Callback URL

 

idQ PAM Option Settings

FilterGroup

pam_idq

Members of the group "pam_idq" can use idQ PAM for authentication

OmitPasswordGroup

pam_idqrsa

Members of the joint group "pam_idq" & "pam_idqrsa" can perform two-factor authentication – primary authentication via RSA public key and secondary authentication via idQ PAM push notification.

SupportPush

yes(by default)/no

Enable/Disable secondary authentication via idQ push notification service.

If SupportPush is set to "yes", then two factor authentication is enabled with idQ push notification as the second authentication factor.

If SupportPush is set to "no", idQ authentication push feature is not enabled.

PushTitle

Login Request

Text displayed as part of the idQ push notification title: "<PushTitle> Request". For example, "Login Request"

PushMessage

"User %u is trying to sign in to %h, please approve the login request."

Message content for the idQ push notification message.

%u and %h are variables that will be replaced by the username of the user who sent the request, and the hostname (or computer name) of the Linux server.

An example of a push notification message: "User ethansmith is trying to sign in to ServerX, please approve the login request."

Network Configuration 

Firewall Requirements

Setup your Firewall rule to allow inbound and outbound TCP port 443 to the internet for the idQ Enterprise cloud service destination ( <your organization hostname>.idquanta.com ).

DNS name resolution

Ubuntu server must resolve public FQDN  <your organization hostname>.idquanta.com


If required, allow SSH access from remote client to Linux server.

Deployment Procedure

In these deployment instructions, idQ PAM for Ubuntu  is installed on a Ubuntu 16.04 server.

  1. Log in with an administrator account to the Ubuntu server, on which  idQ PAM for Ubuntu will be installed.

  2. Update the apt definitions to the latest version.

    Upgrade apt definitions
    $sudo apt-get update
  3. Please make sure SSH server is installed (the dependencies for idQ PAM) on the Ubuntu server by executing the command below.

    Installing OpenSSH
    $sudo apt-get install openssh-server
  4. install gdebi-core, this will look for all the dependencies before step 4. 

    # gdebi will look for all the dependencies of the .deb file, and will install 
    them before attempting to install the .deb file 
    
    sudo apt install gdebi-core
    
    sudo apt-get install libcurl3
    sudo apt-get install libqrencode3
  5. Install idQ PAM by executing the command below.

    $sudo gdebi <current version of pamidq_X.deb file>
  6.  Run the below configuration script mentioned below, after gdebi install deb  

    $sudo /usr/bin/pam_idq_conf.sh
  7. Enter the information below for idQ PAM to perform passwordless authentication through idQ Enterprise.

    Parameter NameDescription
    OAuth EndpointThe endpoint supplied to you based on your organization when you registered your idQ PAM application.
    Client ID 

    The "Client ID" from when you registered your idQ PAM application.

    Client SecretThe "Client Secret" from when you registered your idQ PAM application.
    Callback URL

    The "Callback URL" from when you registered your idQ PAM application.

  8. Press enter to accept the default values for "delegated authorization message" title and message content or enter alternative text for the "delegated authorization message" title and/or the message content.

  9. Verify that the following two dependant libraries are present.

    apt search 'libcurl3'
    - should display “libcurl3....   [installed]”
    
    apt search 'libqrencode3'
    - should display “libqrencode3  …  [installed]”
  10. Verify the three files below have been created for idQ PAM using the command "ls".

    $ls /lib/security/ 
    
     
    /lib/security/pam_idq.so
    /lib/security/pam_idq_u.so 
     
    $ls /etc/pam_idq.d/
    
    /etc/pam_idq.d/pam_idq_conf.sh
  11. Verify the two help pages have been created for idQ PAM using the command "man". 

    $man pam_idq 
    – should display the help page for pam_idq module.
     
    $man pam_idq_u
    – should display the help page for pam_idq_u module.

User Configurations for idQ PAM Authentication

There are 4 Linux server user types that can be configured to use different authentication methods.

A user can only be configured to use one of these authentication methods. Attempting to log in with a different scenario will not work. 

Single Factor Authentication User: Password Only

Installation of the idQ PAM for Ubuntu connector will not affect this type of user. They will continue to authenticate with a username and password.

Single Factor Authentication User: RSA (public key) Only

Installation of idQ PAM for Ubuntu connector will not affect this type of user. They will continue to authenticate with an RSA key.

Two Factor Authentication User: Password and idQ PAM for Ubuntu

After installing the idQ PAM for Ubuntu connector, users of this type will be assigned into the "pam_idq" group to configure idQ Enterprise to use a push authorization message as the secondary authentication factor.

Two Factor Authentication User: RSA and idQ PAM for Ubuntu

After installing the idQ PAM for Ubuntu connector, users of this type will be assigned into both the "pam_idq" group and the "pam_idqrsa" group to configure RSA as the primary authentication method, and idQ Enterprise to use a push authorization message as the secondary authentication factor.

 


  • No labels