________  ________  ________  ________  ________  ________  ________ 
 ╱        ╲╱        ╲╱    ╱   ╲╱        ╲╱    ╱   ╲╱        ╲╱    ╱   ╲
╱        _╱    ╱    ╱         ╱         ╱         ╱    ╱    ╱         ╱
╱       ╱╱        _╱         ╱       --╱╲__      ╱         ╱         ╱ 
╲_____╱╱ ╲____╱___╱╲________╱╲________╱   ╲_____╱╲___╱____╱╲__╱_____╱  

OCI – Deploy Linux Pam Module [Part 4]

The Linux PAM module can be downloaded from the OCI cloud portal and needs to be manually deployed to endpoints within OCI. You will need the client ID and secret from the confidential application deployed in the last part of this series. (Contoso – Linux PAM – Authentication App)

Download and Deploy the Linux PAM Module

1. In the OCI tenant portal, open Identity & Security from the top left menu and click Domains

2. Select your identity domain

3. Select Settings on the left

4. Select Downloads on the left. Search for the Linux PAM module and click Download

5. Extract the .zip file and copy the two files to /tmp on the destination host within OCI.

  • pam_cloud.rpm
  • authn_oracle_cloud.rpm

6. On the OCI Linux host, install json-c and curl dependencies

yum install json-c curl -y

7. CD to the /tmp directory and install the two PAM rpms

yum install pam_oracle-cloud.rpm authn-oracle-cloud.rpm -y

8. Create a wallet with the OCI Confidential application ID and Secret

walletMgr add /etc/opc-wallet client_id <client_id>
walletMgr add /etc/opc-wallet client_secret <client_secret>

9. Install the sssd service if not already available

yum install sssd -y

10. Set sssd.conf permissions

chown root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf

11. Edit sssd.conf to reflect the following

config_file_version = 2
services = nss, pam
### domains specify the look up order, 
### which should always be LOCAL and then IDCS.
domains = LOCAL,IDCS

#Backfill cache at 75%, do not cache bad lookups, no in-mem cache
entry_cache_nowait_percentage = 75
### 1 Hour caching for non existent user
entry_negative_timeout = 3600
fallback_homedir = /home/%u
default_shell = /bin/sh

# Offline 1 day
offline_credentials_expiration = 1
pam_id_timeout = 600

# Prior to 1.15, must use older files provider
id_provider = proxy
proxy_lib_name = files
# Disable authentication, files provider 
# always provides local access, enumerate files
auth_provider = none
access_provider = permit
enumerate = true

re_expression = (?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
auth_provider =  proxy
id_provider = proxy
proxy_lib_name = oracle_cloud
proxy_pam_target = sssd_proxy_oracle_cloud
enumerate =  false
cache_credentials = true
# Default cache timeout 90 mins for user/group info entries, 
# before it reaches to IDCS for new updates
entry_cache_timeout = 5400

12. Ensure /etc/pam.d/sssd_proxy_oracle_cloud exists with the following content

auth          required      pam_oracle_cloud.so
account       required      pam_oracle_cloud.so
password      required      pam_oracle_cloud.so
session       required      pam_oracle_cloud.so

13. Edit /etc/pam.d/sshd and add the pam_oracle_cloud module

  • The below line must be added after: auth substack password-auth on line 3
auth sufficient pam_oracle_cloud.so

14. Search for “ChallengeResponseAuthentication” in /etc/ssh/sshd_config and change to “yes” — Add this property if it does not exist in the file.

ChallengeResponseAuthentication yes

15. Update /etc/opc.conf to reflect the following configuration

  • Update base_url with the domain IDCS URL

#This is sample format of opc.conf file, please use the correct information to configure this file.
#Enter the Oracle Identity Cloud Service tenancy base url.
base_url = <DOMAIN_URL>
#There is no need to change value of scope.
scope = urn:opc:idm:__myscopes__
#Enter the location of the wallet.
wallet_location = /etc/opc-wallet
#Enter the log level, this is optional and the default is 0, which means no log. 0 - None, 1 - Error, 2 - Info, 3 - Debug.
log_level = 0
#Enter the log file path, this is optional and defaults to /var/log/opc/pam_nss.log
log_file_path = /var/log/opc/pam_nss.log
#Enter the value for proxy usage to connect to Oracle Identity Cloud Service.
#Set the value to 1 to use a proxy and 0 to not use a proxy.
#Enter the information below if you set: use_proxy=1
#Enter the proxy url
#Enter the proxy port
#proxy_port=80#Enter the username to connect to the proxy url.
#Enter the password of username to connect proxy url.

16. Restart the SSSD and SSHD services

authconfig --enablesssd --enablesssdauth --enablemkhomedir --enablepamaccess –-update
service sshd restart
service sssd restart

17. Confirm connectivity to IDCS by using ID on a sync’d user object

id username