Pluggable Authentication Module (PAM)

The Pluggable Authentication Module (PAM) is an authentication tool that allows you to use the sudo command with Jamf Connect Login. PAM is included in all installations of Jamf Connect Login and stored on computers in the following location:

/usr/local/lib/pam/pam_saml.so.2

Important: It is recommended that you first test the following workflows in an environment other than your production environment.

Enabling PAM

To allow users to use network authentication rather than entering a local administrator password in the command-line, complete the following steps:

  1. (Okta Only) Execute the following authchanger command to enable PAM authentication with Jamf Connect Login:

    /usr/local/bin/authchanger -DefaultJCRight
  2. Add the following preference keys to your Jamf Connect Login configuration profile:

    Pluggable Authentication Module (PAM) Settings

    Key

    Description

    Example

    AuthUIOIDCProvider

    Identity Provider (PAM)

    Specifies the identity provider to use for authentication via the Pluggable Authentication Module (PAM)

    <key>AuthUIOIDCProvider</key>

    <string>insert-identity-provider</string>

    AuthUIOIDCClientID

    Client ID (PAM)

    The client ID of the created Jamf Connect app in your identity provider used for authentication via PAM

    <key>AuthUIOIDCClientID</key>

    <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

    AuthUIOIDCRedirectURI

    Redirect URI (PAM)

    The redirect URI used by the created Jamf Connect app in your identity provider

    <key>AuthUIOIDCRedirectURI</key>

    <string>https://127.0.0.1/jamfconnect</string>

    AuthUIOIDCTenant

    Tenant ID (PAM)

    The tenant in your identity provider used for authentication via PAM

    Note: If Okta is your IdP, this key is required.

    <key>AuthUIOIDCTenant</key>

    <string>dev-123456</string>

    AuthUIOIDCClientSecret

    Client Secret (PAM)

    The client secret of your Jamf Connect app in your IdP. This value is only known by Jamf Connect and your IdP.

    <key>AuthUIOIDCClientSecret</key>

    <string>9fcc52c7-ee36-4889-8517-lkjslkjoe23</string>

  3. In Terminal, access the PAM configuration profile by executing the following command:

    sudo vi /etc/pam.d/sudo

  4. Enter your local password.

  5. Enter edit mode and do one of the following:

    Note: A warning may display when attempting to edit a read-only file. Continue to edit the file, and then refer to step 6 to save your changes.

    1. To allow (but not require) network authentication for sudo commands, add the following entry:

      auth sufficient pam_saml.so

      images/download/attachments/80745454/PAM_Enable.png

    2. To require network authentication for sudo commands, do the following:

      1. Add the following entry:

        auth required pam_saml.so

      2. Comment out the pam_opendirectory.so entry by adding a pound symbol (#) at the beginning of that line.

        images/download/attachments/80745454/PAM_required.png
  6. Press the Escape key to exit the editor mode, and then write and quit the read-only file by executing the following command at the bottom of the Terminal window:

    :wq!

    Note: Your cursor should automatically move to the bottom of the Terminal window after you exit editor mode.

Authenticating with PAM

After PAM is enabled, you can use the sudo command to authenticate with your cloud identity provider (IdP).

  1. In Terminal, execute any sudo command, such as the following:

    sudo -s

    images/download/attachments/80745454/Screen_Shot_2020-02-19_at_3.41.36_PM.png
    The IdP login window appears.

  2. Enter your network username and password to authenticate.

    Note: If you configured network authentication to be sufficient but not required, closing the login window will cause macOS to prompt you to enter your password in Terminal instead. If you configured network authentication to be required, closing the login window will cause authentication to fail.

    Once authenticated, the sudo command should complete in Terminal.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.