The Pluggable Authentication Module (PAM) is an authentication tool that allows you to use the sudo command with Jamf Connect Login. PAM is included in all installations of Jamf Connect Login and stored on computers in the following location:
To enable PAM, complete the following steps:
(Okta Only) Execute the following authchanger command to enable PAM authentication with Jamf Connect Login:
Add the following preference keys to your Jamf Connect Login configuration profile:
Pluggable Authentication Module (PAM)
Specifies your Identity Provider (IdP) for use with PAM.
The Client ID of the created app in your IdP used to authenticate the users.
The Redirect URI used by the created app in your IdP
Specifies which tenant in your IdP to use with PAM.
Note: If Okta is your IdP, this key is required.
The client secret of your Jamf Connect app in your IdP. This value is only known by Jamf Connect and your IdP.
In Terminal, access the PAM configuration profile by executing the following command:
sudo vi /etc/pam.d/sudo
Enter your local password.
Enter edit mode, and then add the following entry:
auth sufficient pam_saml.so
Note: A warning may display when attempting to edit a read-only file. Continue to edit the file, and then refer to step 6 to save your changes.
Press the Escape key to exit the editor mode, and then write and quit the read-only file by executing the following command at the bottom of the Terminal window:
Note: Your cursor should automatically move to the bottom of the Terminal window after you exit editor mode.
Authenticating with PAM
After PAM is enabled, you can use the sudo command to authenticate with your cloud identity provider (IdP).
In Terminal, execute any sudo command, such as the following:
Your IdP's login window should appear. Enter your username and password to authenticate.
Note: If you close the login window, you will be prompted to enter your password in Terminal instead.
Once authenticated, the sudo command should complete in Terminal.