The PAM Multi-Party Authentication Module (pam-mpa) can be used to require multiple local users to authenticate to authorize access to a single account.
For example, in an environment where root access must be authorized by two people, pam-mpa can be configured to require two users (Alice & Bob) to authenticate to authorize root to log in.
$ ssh root@mpa-system.lan
authorizer [1 of 2]: alice
password [1 of 2]:
authorizer [2 of 2]: bob
password [2 of 2]:
Last login: Fri Jan 1 00:00:00 1970 from other-host
pam-mpa is licensed under the MIT license. See the LICENSE file for details.
- pam-mpa can only authorize using local users
- authorizer accounts must exist in /etc/passwd & /etc/shadow
For now, pam-mpa must be built from sources, and manually instatlled.
The following packages are required to build pam-mpa on rhel-7:
- gcc
- make
- pam-devel
cd src/
makeTo install the pam-mpa copy pam_mpa.so from the src/ directory into the pam
module directory.
# on RHEL-7
sudo install -o root -g root -m 755 pam_mpa.so /lib64/security/pam_mpa.soThe following options are supported for the pam-mpa module:
usersfile=<path>Users file to use for authorization- See Users File Format below
debugEnable debugging output to syslog
The users file specifies the authorizers, and how many authorizers are
required to log in as a given user. Each login may only be listed once.
<login>:<required>:<authorizer_0>,<authorizer_1>[,...,<authorizer_n>]loginis the account that requires multiple authorizersrequiredis the number of authorizers required to authenticateauthorizer_*is a list of possible authorizers
NOTE Authorizors must have valid local accounts, with passwords in
/etc/shadow.
The following section describe a full configuration for pam-mpa on a RHEL-7 system. The directions should be the same for Centos-7.
Update auth blocks in /etc/pam.d/password-auth and /etc/pam.d/system-auth
to try pam_mpa.so before pam_unix.so.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [success=done ignore=ignore default=die] pam_mpa.so usersfile=/etc/pam_mpa.usersfile debug
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.soAdd to the usersfile specified in the pam configuration any users that should
require multiple authorizers. Format of the usersfile is:
# /etc/pam_mpa.usersfile
root:2:alice,bob,charlie
Contributions are welcome in the form of a pull-request.
Before sumitting changes, ensure all of the existing tests pass, and add additional tests for new functionality.
WARNING: The tests should ONLY be run on a non-production system, on a private network, that is not already configured to use pam-mpa. The tests temporarily add users to /etc/passwd & /etc/shadow, and will modify the local pam configuration.
Do not run the tests on a production system.
To run the tests, you need:
- root access on a non-production system
- system must not be configured for pam-mpa
- the
pamtesterutility installed
To run the tests:
cd tests/
./test-pam_mpa.sh