Luminate Secure Access Cloud (TM) provides various authentication mechanisms for Zero Trust access to SSH Servers. The details of the basic configuration for access to SSH Servers are described in this article, while the support for various keyboard-interactive authentication schemes is described in this article.

Current article deals with access to SSH Servers using Pluggable Authentication Modules (PAMs).

The reasons for providing access via Luminate Secure Access Cloud (TM) and using Pluggable Authentication Modules could be the following:

  • Migration from an existing configuration using PAMs
  • Desire to strengthen the authentication model delivered by Luminate even further, by providing an additional out-of-band authentication factor

In this article, we will demonstrate the required configuration and the resulting end-user experience for provisioning SSH access using Google Authenticator PAM.

Here is the step-by-step configuration procedure:

  1. Configure SSH access to the relevant server(s) using the procedure described in described in this article
  2. Configure the Google Authenticator PAM on the server, using steps described in this DigitalOcean article. (Please note, that additional article, such as this article or this article provide only partial solution that still allows password login). Additionally, please note, that these articles provide steps for Ubuntu Linux. If using a different Linux Distribution or Operating System, please look up the relevant reference, for example, such as this guide for FreeBSD.
  3. When logging in to the SSH server using Luminate, either using the One-Time Token (as in the below example) or using Luminate SSH Keys, the SSH client will be required to complete the additional step by entering a Verification Code: