HYPR Linux PAM
Linux pluggable authentication modules (PAM) enable administrators to configure users’ authentication experiences. This document provides a method to require HYPR authentication—including YubiKey compatibility—when connecting via ssh
/scp
using Linux PAM libraries.
Creating an operational HYPR Linux PAM involves at minimum the following stages:
-
Installation
-
Get the installation files
-
Run the installation
-
-
Configuration
-
HYPR PAM configuration
-
Linux PAM configuration
-
Linux SSH configuration
-
As long as the user in question is added to the Application in question using the HYPR Control Center, the above stages will enable HYPR authentication when ssh
or scp
is used to or from a device with the HYPR Linux PAM installed.
Other options include:
-
Bypassing HYPR authentication
-
Linux SSH key authentication
-
Linux password authentication
-
Username aliases
-
YubiKey Interoperability
-
Install the YubiKey Linux PAM
-
Configure the YubiKey Linux PAM
-
Making it work with HYPR Linux PAM
-
-
Building the HYPR Linux PAM
-
Build the shared library
-
Integrity checks
-
Installation
HYPR Linux PAM may be installed via standard RPM or DEB packages. It has been tested and found operational on the following platforms:
Be sure to make backups of any files that you edit during the process.
To monitor the logs and progress of tasks while installing HYPR Linux PAM, we suggest opening a second terminal window and keeping it open throughout the entire process with the affected log files open in the window as they are being written.
Get HYPR Linux PAM
Contact HYPR Support to get your own copy of the HYPR Linux PAM.
Run the Installation
Run the following commands to install the package you are using, substituting the version for the download you have obtained:
-
RedHat, CentOS, Fedora, and similar
-
x86_64 architecture:
sudo yum localinstall -y hypr-pam-**x.y-z**.x86_64.rpm
-
aarch64 (arm64) architecture:
sudo yum localinstall -y hypr-pam-**x.y-z**.aarch64.rpm
-
-
Ubuntu, Debian, Kali, Mint, and similar
-
x86_64 architecture:
sudo dpkg --install hypr-pam_**x.y-z**\_amd64.deb\
-
aarch64 (arm64) architecture:
sudo dpkg --install hypr-pam_**x.y-z**_arm64.deb
-
-
openSUSE and similar
-
x86_64 architecture:
sudo zypper install hypr-pam-**x.y-z**.x86_64.rpm
-
aarch64 (arm64) architecture:
sudo zypper install hypr-pam-**x.y-z**.aarch64.rpm
-
Configuration
The pam_hypr
module is a Linux programmable authentication module (PAM) responsible for Linux user authentication via HYPR authentication. It is implemented in the pam_hypr.so
shared library created during Build the Shared Library, above.
Configuration consists of three main steps:
-
HYPR PAM Configuration (
/etc/security/pam_hypr.conf
). -
Linux PAM Configuration (
/etc/pam.d
). -
Linux SSH Configuration (
/etc/ssh/sshd_config
).
Configuration Keywords
Below are details of the contents of this pam_hypr.conf
configuration file. Each line contains one or more keywords followed by one or more values, each separated by one or more spaces (or tabs). Lines beginning with '#' are ignored completely.
Keywords | Requirement | Value |
---|---|---|
auth_access_token | Required | Used for authentication, this HYPR access token is associated with the HYPR application identified by the app_id property in this configuration. Ex: b284ad3f-401c-32f7-813f-12a5c7d9e034 |
api_access_token | Optional | Used only for managing username aliases, this HYPR access token is associated with the HYPR Control Center controlCenterAdmin application. |
api_base_url | Required | The base URL for the HYPR authentication API. Ex: https://hypr.highlandsbank.com |
api_auth_endpoint | Required | The endpoint for the HYPR authentication API. Default value: /rp/api/oob/client/authentication |
app_id | Required | The HYPR authentication API ID. Ex: HYPRDefaultApplication |
poll_max_time_seconds | Optional | The total number of seconds to wait for a user response when doing HYPR authentication response polling. Default value: 60 |
poll_interval_seconds | Optional | The number of seconds to wait between each polling for a user HYPR authentication response. Default value: 2 |
timeout_milliseconds | Optional | The number of milliseconds before timing out to allow for each HYPR authentication service (HTTPS) request. If set to 0 the system default as implemented by libcurl is used. Default value: 20000 (20 seconds) |
login_message | Optional | If enabled the message following this keyword will be displayed on the command line (stdout) on successful connection to the server. Within this message the following variables may be used to generate dynamic content: • %login – The Linux login |