Skip to content
UFP Identity PAM module
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

UFP Identity PAM module


The UFP Identity PAM module provides integration of the UFP Identity service into your existing user authentication infrastructure. PAM is used by Linux/BSD, Solaris and Mac OS X for user authentication to various services such as SSH, login, and sudo.


After acquiring the source, and the required dependencies, you can build with:

make clean
export LIBDIR=/lib/i386-linux-gnu ; sudo make install

That will install into /lib/i386-linux-gnu/security (n.b. change the directory for your multi-arch setup)

Then you need to get credentials for accessing the UFP Identity service. Please read Getting Started for an overview. Make sure to have an ASCII representable key for your private key. And make sure to carefully think about the CN you use. For a large number of machines you may want a base domain like, rather than,, etc. On a Linux machine it is recommended to keep your private keys in /etc/ssl/private and your certificates in /etc/ssl/certs. You will also need our truststore somewhere (/etc/ssl/certs is good).

n.b. /etc/ssl/private is a restricted directory. Make sure you understand and configure appropriate permissions for access to files in there.

You can test with the check_user application. Configure the check_user service with a file called check_user in /etc/pam.d/ The contents of the file look like:

# check authorization
auth    required cert=<certificate_file> passphrase=<keypass>  key=<key_file> truststore=<truststore_file>
account required

Compile the check_user application like:

gcc -o check_user check_user.c -lpam -lpam_misc

Make sure the check_user application is run with permissions to access the file(s) in /etc/ssl/private

sudo ./check_user

To configure ssh modifiy the /etc/pam.d/sshd (n.b. do this from a console to ensure that access is not compromised) Comment out the line that includes common-auth (we no longer want pam_unix to check against /etc/passwd). Under that line add the configuration for UFP Identity

auth    required cert=<certificate_file> passphrase=<passphrase> key=<key_file> truststore=<truststore_file>

Then some modifications to /etc/ssh/sshd_config are required including:

ChallengeResponseAuthentication yes
PasswordAuthentication no 
UsePAM yes

Restart sshd and try it out.

Integrate and enroll and we'll send you a free Yubico or you can use our iOS OATH app

You can’t perform that action at this time.