Multi-factor authentication (MFA) at OS login provides an extra layer of protection and helps to meet compliance for regulations such as PCI DSS 3.2, NIST 800-171, 23 NYCRR 500, and more. Centrify enables the ability to prompt for MFA at console or ssh login. This article will walk you through the steps to enable users to log into Linux and UNIX systems with Active Directory credentials and prompted for multi-factor authentication.
What you will need
- Active Directory.
- Domain admin rights or delegated rights to an OU.
- Windows member server that is not a domain controller. (See system requirements below.)
System Requirements for Windows member server
- Windows Server 2008 R2 (64 bit) or newer (can be a VM)
- 8 GB of RAM
- Joined to Active Directory
- Internet access (outbound port 443)
1. In Active Directory, create the following new objects:
a) Create a new computer group to require MFA at login. We will add computers to the group later.
b) Optionally create a new group for users that you want to require MFA at login and add users to the group.
c) Create an OU to store the Centrify license container and other Centrify zone objects. (Skip this if you already have Centrify Server Suite or Infrastructure Services installed.)
2. Download and install Centrify Infrastructure Services on the Windows member server.
a) Launch Access Manager and create a Zone.
b) Add users to the Zone, for all users that needs to log into the Linux / UNIX systems.
c) Assign Zone users or the Active Directory user group you created in step 1b, to the following two predefined roles:
- UNIX Login
- require MFA for login
3. Prepare your Linux / UNIX system to be joined to Active Directory.
4. Download the Centrify Agent to the Linux / UNIX system.
a) Install the Centrify Agent and join the Linux / UNIX system to Active Directory and to the Centrify Zone you created in step 2a.
b) In Active Directory Users and Computers, add the Linux / UNIX system to the computer group you created in step 1a.
5. If you have not installed the Centrify Connector yet, log into the Centrify Admin Portal to download and Install the Centrify Connector on the Windows member server.
6. Download and deploy the Centrify IWA root CA certificate to the Linux / UNIX systems.
7. In the Centrify Admin Portal, navigate to Settings > Authentication > Authentication Profiles.
a) Click on the Add Profile button.
b) Enter a name for the profile then select the desired multifactor authentication options under the Challenge 1 column, except Password and FIDO options. Ignore the Challenge Pass-Through Duration setting as this does not apply to computer login.
c) Make sure users are set up with the MFA options you chose in the authentication profile, such as Centrify's Mobile Authenticator, OATH OTP Client, a telephone number or email address in the user object in Active Directory.
8. Enable the Login Policy to use the Authentication Profile you created.
a) On the left, navigate to Core Services > Policies, then edit an existing policy by clicking on the name of the policy or create a new one by clicking Add Policy Set.
b) In the policy go to Login Policies > UNIX and Windows Servers.
i) Select Yes in the Enable authentication policy controls drop down.
ii) Select the Authentication Profile you created in step 6 from the Default Profile pull down and click Save.
8. On the left column, navigate to Core Services > Roles, then click on the Add Role button.
a) Enter a name for the role.
b) Go to Members and click the Add button.
c) Search for the computer group you created in step 1a. To add individual computers select the checkbox for "Computers", then search for the computer name and click Add.
Logging into the Linux System
Enter domain credentials for the user assign with the UNIX Login role for this system. You can be prompted for MFA in both the CLI or GUI interface.
Other related articles: