Authenticate PAM with AAD Connect.
- With a script found on GitHub, written by this guy
We are able to allow the PAM authentication system on Linux to send authentication requests to Azure AD, allowing us to manage authentication across all our Linux machines anywhere. They do not need to be hosted in Azure.
- The script only needs http access out, nothing is required to come back in on the Firewall.
- The script can be deployed after the creation of the VM automatically using custom extension scripts.
Requirements for AAD authentication to work
- Make sure that your server has access to the internet, it needs to get to your AAD and to install specific packages unless you have added them to your image. You can lock this down later.
- Install npm, nodejs on the server (git is optional)
- Aad-login files from GitHub
- Client-ID or App-ID created inside the Azure Active Directory
- Users in Active Directory (password cannot have reset flag active) they will need to login to the azure portal via web and reset their password.
Here is a brief look at the install process
- Connect to your Linux server you want to auth on. I just used a test VM in Azure. I used Ubuntu for this example. I am sure you will follow along with commands, I am not going to spoon feed it.
- You need to create an APP inside Azure and get the application key. The application is not going to do anything really except pass Auth requests through to AAD.ssh -l “user” linux-north-2495425873-pip.northeurope.cloudapp.azure.com
apt-get install npm
npm install azure-cli -g
ln -s /usr/bin/nodejs /usr/bin/node
vim parameters.txt <<— inside here
apt-get instll git nodejs npm
git clone https://github.com/bureado/aad-login.git
cp aad-login.js package.json /opt/aad-login/
cp aad-login /usr/local/bin
useradd -m linuxguy
service sshd restart
service ssh restart
adduser -m otherdude
useradd -m otherdude
As you can see from the commands above, all I did was install the AD config script, edit the parameters for the application key, then make PAM use the script to authenticate.
Once that was done, I then restarted services and added a user. I then gave the user a default shell and VIOLA.