Azure Smartlabs at Microsoft Johannesburg – Part 2 – Azure Active Directory to Authenticate on Linux

Authenticate PAM with AAD Connect.

  • With a script found on GitHub, written by this guy
    We are able to allow the PAM authentication system on Linux to send authentication requests to Azure AD, allowing us to manage authentication across all our Linux machines anywhere. They do not need to be hosted in Azure.
  • The script only needs http access out, nothing is required to come back in on the Firewall.
  • The script can be deployed after the creation of the VM automatically using custom extension scripts.

Requirements for AAD authentication to work

  • Make sure that your server has access to the internet, it needs to get to your AAD and to install specific packages unless you have added them to your image. You can lock this down later.
  • Install npm, nodejs on the server (git is optional)
  • Aad-login files from GitHub
  • Client-ID or App-ID created inside the Azure Active Directory
  • Users in Active Directory (password cannot have reset flag active) they will need to login to the azure portal via web and reset their password.

Here is a brief look at the install process

  1. Connect to your Linux server you want to auth on. I just used a test VM in Azure. I used Ubuntu for this example. I am sure you will follow along with commands, I am not going to spoon feed it.
  2. You need to create an APP inside Azure and get the application key. The application is not going to do anything really except pass Auth requests through to AAD.ssh -l “user”
    apt-get update
    apt-get upgrade
    apt-get install npm
    npm install azure-cli -g
    ln -s /usr/bin/nodejs /usr/bin/node
    vim parameters.txt <<— inside here
    apt-get instll git nodejs npm
    git clone
    cd aad-login/
    mkdir /opt/aad-login
    cp aad-login.js package.json /opt/aad-login/
    cp aad-login /usr/local/bin
    cd /opt/aad-login/
    npm install
    vim aad-login.js
    vim /etc/pam.d/common-auth
    useradd -m linuxguy
    vim /etc/ssh/sshd_config
    service sshd restart
    service ssh restart
    vi /etc/sudoers
    adduser -m otherdude
    useradd -m otherdude
    chsh otherdude

As you can see from the commands above, all I did was install the AD config script, edit the parameters for the application key, then make PAM use the script to authenticate.
Once that was done, I then restarted services and added a user. I then gave the user a default shell and VIOLA.

Leave a Reply