With Azure Active Directory authentication for Linux in preview, this project has been deprecated. Please also note that this project, aad-login, and the package used by the feature mentioned above, aadlogin are not related in any way (well, they both use PAM)
The code was a hacky POC to begin with, and never implemented handling MFA, but it's here as a reference for anyone trying to do PAM with custom scripts, as I'd much rather prefer people to use PAM than to try to write and maintain authentication logic elsewhere.
Allows Linux user authentication to Azure AD via pam_exec for overly simplistic, non-production use cases
- An Azure AD directory has been created, and some users exist
- Node.js and npm are installed in the Linux VM
- A directory application has been created (native client type) and you have the Client ID
- Your PAM distribution has pam_exec.so
This utility doesn't provision the user. In other words, you need to ensure the user
you'll be logging in with is visible by NSS. A simple sudo useradd -m <user> might
be enough for a handful of users.
An exception of this would be the aad-login-self-provisioning script which attempts
to create the user upon a failed getent. This is experimental. Ideally you are doing
this to delegate management of your Linux VMs and therefore will be using groups (like
sudo) to delegate requiring you to provision the user beforehand.
git clone https://github.com/bureado/aad-login
cd aad-login/
sudo npm install
First, open /opt/aad-login/aad-login.js with your favorite editor and put your directory
and client ID in.
Then, open /etc/pam.d/common-auth and add:
auth sufficient pam_exec.so expose_authtok /usr/local/bin/aad-login
ideally at the beginning of your ruleset. Other rules might need to use try_firstpass for
convenience.
CentOS doesn't have common-auth so you need to include this rule in the relevant PAM file,
such as /etc/pam.d/sshd or /etc/pam.d/system-auth.
MFA is not supported.
You might need to adjust the nodejs path on the scripts depending on what you have on your system.
A freshly created user will have a temporary password that has to be changed via the portal. A convenient way to get this done is to visit portal.azure.com (even if you don't have an Azure account) with those credentials and change them before attempting to SSH.
In CentOS 7.x (and other SELinux-enabled distros) you need to disable the policy:
sudo setenforce 0
The self-provisioning beta doesn't guarantee UID consistency across VMs, nor delegates access to groups like sudo. Therefore, an important TODO is to detect group membership.
This is sample code and comes with no warranties.
Tested in Ubuntu 14.04. Any changes to common-auth might result in unexpected behaviour in authentication including multiple password prompts and inability to join with local credentials.