idQ PAM for Ubuntu connector installation guide.
This section describes how to install idQ PAM for Ubuntu onto a Ubuntu server including the configuration of the idQ PAM for Ubuntu connector, the Ubuntu server, and idQ Enterprise OAuth credentials.
Once installed, idQ PAM for Ubuntu will enable users to use the idQ push notification as the second authentication factor when logging in to a remote Ubuntu server.
Linux IT Administrator responsible for the deployment of idQ PAM for Ubuntu.
Linux Server Admin/Root privileges
|1||Requirement Preparation||Ensure Server Requirements are met for the deployment of the idQ PAM for Ubuntu connector|
|2||System Preparation||Complete System Configuration worksheet|
|3||Network Preparation||Complete Network Configuration worksheet|
|4||Prepare Network Names and Firewall rules||Ensure firewall rules are in place and DNS servers are defined on Linux servers|
|5||Download Connector||Download the installer file for idQ PAM for Ubuntu connector|
|6||Obtain OAuth credentials||Registration of your application within an idQ Enterprise organization to obtain the OAuth 2.0 client credentials.|
|7||Installation||Deploy idQ PAM|
|8||Configure idQ PAM for Ubuntu|
Configure specific user accounts to use idQ PAM for Ubuntu
|9||Map user account to idQ Enterprise Trusted Device||Map an user account to a Trusted Device for idQ push notification as the second authentication factor|
Ubuntu Server Requirements
- Hardware capable of running Ubuntu 14.04LTS or Ubuntu 16.04LTS.
- Existing Ubuntu 14.04LTS or Ubuntu 16.04LTS
Ports Required to be Opened Through Firewall
External port for allowing HTTPS access from Linux server to idQ Enterprise: outbound/TCP default 443 <your organization hostname>.idquanta.com
It is HIGHLY RECOMMENDED that you fill out the Configuration Worksheets to gather information that is required to configure idQ PAM for Ubuntu during the installation process.
Print out the worksheets and consult your network administrator to fill in the appropriate configuration values.
idQ Enterprise Server information
|The following configuration values are provided by inBay Technologies when you register your application with idQ Enterprise platform.|
<your organization hostname>.idquanta.com
The fully qualified domain name for the idQ Enterprise Cloud Service
idQ Server Port
|The following are OAuth 2.0 client credentials. When you register your application within your idQ Enterprise organization, these configuration values are provided by inBay Technologies.|
|OAuth Endpoint||Your endpoint as specified in your idQ Enterprise organization|
Your idQ PAM Client ID
Your idQ PAM Client Secret
Your idQ PAM Callback URL
idQ PAM Option Settings
Members of the group "pam_idq" can use idQ PAM for authentication
Members of the joint group "pam_idq" & "pam_idqrsa" can perform two-factor authentication – primary authentication via RSA public key and secondary authentication via idQ PAM push notification.
Enable/Disable secondary authentication via idQ push notification service.
If SupportPush is set to "yes", then two factor authentication is enabled with idQ push notification as the second authentication factor.
If SupportPush is set to "no", idQ authentication push feature is not enabled.
Text displayed as part of the idQ push notification title: "<PushTitle> Request". For example, "Login Request"
"User %u is trying to sign in to %h, please approve the login request."
Message content for the idQ push notification message.
%u and %h are variables that will be replaced by the username of the user who sent the request, and the hostname (or computer name) of the Linux server.
An example of a push notification message: "User ethansmith is trying to sign in to ServerX, please approve the login request."
Setup your Firewall rule to allow inbound and outbound TCP port 443 to the internet for the idQ Enterprise cloud service destination ( <your organization hostname>.idquanta.com ).
DNS name resolution
Ubuntu server must resolve public FQDN <your organization hostname>.idquanta.com
If required, allow SSH access from remote client to Linux server.
In these deployment instructions, idQ PAM for Ubuntu is installed on a Ubuntu 16.04 server.
Log in with an administrator account to the Ubuntu server, on which idQ PAM for Ubuntu will be installed.
Update the apt definitions to the latest version.
Please make sure SSH server is installed (the dependencies for idQ PAM) on the Ubuntu server by executing the command below.
install gdebi-core, this will look for all the dependencies before step 4.
Install idQ PAM by executing the command below.
Run the below configuration script mentioned below, after gdebi install deb
Enter the information below for idQ PAM to perform passwordless authentication through idQ Enterprise.
Parameter Name Description OAuth Endpoint The endpoint supplied to you based on your organization when you registered your idQ PAM application. Client ID
The "Client ID" from when you registered your idQ PAM application.
Client Secret The "Client Secret" from when you registered your idQ PAM application. Callback URL
The "Callback URL" from when you registered your idQ PAM application.
Press enter to accept the default values for "delegated authorization message" title and message content or enter alternative text for the "delegated authorization message" title and/or the message content.
Verify that the following two dependant libraries are present.
Verify the three files below have been created for idQ PAM using the command "ls".
Verify the two help pages have been created for idQ PAM using the command "man".
User Configurations for idQ PAM Authentication
There are 4 Linux server user types that can be configured to use different authentication methods.
A user can only be configured to use one of these authentication methods. Attempting to log in with a different scenario will not work.
Single Factor Authentication User: Password Only
Installation of the idQ PAM for Ubuntu connector will not affect this type of user. They will continue to authenticate with a username and password.
Single Factor Authentication User: RSA (public key) Only
Installation of idQ PAM for Ubuntu connector will not affect this type of user. They will continue to authenticate with an RSA key.
Two Factor Authentication User: Password and idQ PAM for Ubuntu
After installing the idQ PAM for Ubuntu connector, users of this type will be assigned into the "pam_idq" group to configure idQ Enterprise to use a push authorization message as the secondary authentication factor.
Two Factor Authentication User: RSA and idQ PAM for Ubuntu
After installing the idQ PAM for Ubuntu connector, users of this type will be assigned into both the "pam_idq" group and the "pam_idqrsa" group to configure RSA as the primary authentication method, and idQ Enterprise to use a push authorization message as the secondary authentication factor.