Your own ID-Server
On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.
Learn MoreThe Pluggable Authentication Modules (PAM) is a software library which offers a general programming interface for authentication services. By using the PAM-API one does no longer need to define the settings for every single authentication application. Instead, individual standarized modules can be used. The modules can be assigned to individual services in the configuration file. There is no need to change the compilation of the corresponding software. PAM is available for AIX, HP-UX, Solaris, Linux, FreeBSD, NetBSD, Mac OS X and DragonFly BSD.
There are several areas of application for secure Two-Factor Authentication with the SecSign ID Pluggable Authentication Module.
We offer the SecSign ID RADIUS Proxy for authentication services using the RADIUS Server and Active Directory. This way the SecSign IDs are requested from the Active Directory as compared to the configuration file.
The user provides, with an SSH connection for this example, his user name and password. He receives a push-notification to his smartphone within seconds, providing the service name and address of the service he wants to log in to. As soon as he confirms the request the SSH connection is established.
That is everything there is to do for the user to enjoy truly secure Two-Factor Authentication and prevent access to the system even with leaked password information.
Download the SecSign ID PAM archive and unpack it. The library contains four files:
To compile and accurately render the program the following requirements must be met:
The gcc compiler and libcurl can be installed with Debian:
su apt-get update apt-get install build-essential apt-get install curl
and with Ubuntu:
sudo apt-get install libpam0g-dev sudo apt-get install libcurl4-gnutls-dev
and with RHEL:
yum groupinstall "Development Tools" yum install curl-devel yum install pam.i686 yum install pam-devel
The easiest way to install the compiler gcc, libcurl and libpam on Mac OS X is via Homebrew.
The file secsignid.c contains configuration settings for the module. Paths to the configuration file and the log- and debug files can be adjusted.
The configuration file secsignid.config
combines the user name and corresponding SecSign ID. The file should be stored at /etc/secsignid/secsignid.config
or at a location with root- or admin access rights. The path to the configuration file is set in the file secsignid.c with the constant CONFIGFILE.
#define CONFIGFILE "/etc/secsignid/secsignid.config"
General Settings:
The SecSign ID transmits several details to the ID-Server, which in turn provides these to the user’s smartphone, including service name, the corresponding IP-address or URL:
# ID related settings, will be displayed on the users app secservicename=testPAM_internal secserviceaddress=your-url.com
Output:
The parameter secoutput
determines if the console prints status messages like in the example below.
Start SecSignID 2FA ... Press enter to proceed ... SecSignID 2FA successful ...
If secoutput=1
the user will see the status messages and needs to press enter before authenticating (this is due to PAM buffering messages without a prompt).
If the parameter secoutputid is set to true, the users SecSign ID will be displayed during the login.
# displays that the 2FA has started [true|false] secoutput=true # displays the SecSignID at login [true|false] secoutputid=true
Interval:
DThe PAM Plugin incorporates an interval function. After a successful login, this function skips the 2FA if a user attempts a new login in a given time frame (in minutes). This function is skipped if 0.
# skip 2FA if previous login was less than x minutes ago secintervalmin=10
For the interval function to work, secsignid.c defines a path to a writable folder. Whenever a user successfully authenticates via 2FA, the PAM will create a file with the username and timestamp. For every login, PAM checks the timestamp of the last 2FA login and decides if another 2FA is needed. Make sure, that you create the folder and set the correct access rights.
#define INTERVALFILEFOLDER "/etc/secsignid/lockfiles/"
User Mapping with the Login Name:
If the user authenticates via SSH (for example), the administrator can decide if the user’s SecSign ID is the same as his login name or if the ID is set manually.
An automatic mapping with the login name is recommended for On-Premise ID Servers only. If you use the public Cloud ID Server, you have to use manual mapping.
# automatic secsign id user mapping, AD user name equals SecSignID [true|false] # only recommended for On-Premise Servers setups, otherwise false secadusername = true
Manual SecSign ID Mapping:
If you use the manual mapping, each user needs an entry with the following schema for mapping the linux username and the SecSignId:
# manual secsign id user mapping if secadusername=false #username=secsignid someLinuxUsername=someSecSignID
If you want to use your own On-Premise ID Server, you can change the endpoints in libsecsignid.c
. The predefined cloud endpoints are the following:
char *secSignIDServer = "https://httpapi.secsign.com"; char *secSignIDServerFallback = "https://httpapi2.secsign.com";
Modify the urls to fit your On-Premise ID Server configuration.
The library contains a debug modus, which releases any interface communication. That enables the verification of request transmission and requests for session status. To activate the debug modus the following constants have to be adjusted.
DEBUGTYPE specifies how the debug output is handled:
DEBUGFILEPATH describes the path for the debug-file. The file has to be be writeable with the program. If no debug-file exists one is automatically generated.
#define DEBUGTYPE FILEDEBUG #define DEBUGFILEPATH "/etc/secsignid/secsignid.debug"
Logging is meant for interface error. Technical errors (for example wrong syntax for the parameter) and API error (for example nonexistent user) are logged. Logs are either defined in the Syslog or a separate file:
#define LOGTYPE FILELOG #define LOGFILEPATH "/etc/secsignid/secsignid.log"
To compile the PAM open the shell or the terminal, respectively, switch to the unpacked directory containing the C-script and enter make. The program pam_secsignid.so is created.
The program can be compiled manually:
gcc -fPIC -DPIC -shared -rdynamic -o pam_secsignid.so secsignid.c libsecsignid.c -lcurl
After the successful compilation the file has to be stored in the PAM directory. Normally, it is /lib/security or /lib/x86_64-linux-gnu/security:
cp pam_secsignid.so /lib/security/pam_secsignid.so
or
cp pam_secsignid.so /lib64/security/pam_secsignid.so
On premise installations of SecSign ID offer the flexibility to connect with your preferred servers, services, and devices. And you can customize the SecSign ID with your own organization’s branding.
Learn MoreWe are happy to announce that the SecSign ID server has passed the official FIDO certification program of the FIDO Alliance. This will allow you to use the complete FIDO2/WebAuthn standard for passwordless 2FA sign-ins in your exi ...
Mehr LesenThe FIDO2 Project is a set of standards developed by the FIDO Alliance and the World Wide Web Consortium (W3C) to create a strong authentication protocol for the web. It consist mainly of the WebAuth standard for the browser part ...
Mehr LesenIn the recent weeks, home office work has increased potentially. And while employees are practicing social distancing from their home computer, attackers are working hard to exploit security issues in this situation that is unfami ...
Mehr LesenWant to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
Product Support
I am Interested in