Installing Interlock Plugin for PAM

Requirements and Recommended Specs #

• A container or VM with:
  • Ubuntu (>= 24.04) || Debian (>= 12 - Bookworm)
• Dependencies used:
  • python3 (>= 3.11)
  • python3-pampy
  • python3-requests
  • python3-six
  • libpam-python
  • lsb-release
  • sudo
  • bash

Initial Setup #

Installing the Interlock Plugin for PAM package is fairly straight-forward.

Firstly you’ll need to add the official repository and install it with APT.

# Add the Interlock Public GPG Key
apt install gnupg -y
wget -qO - https://brconsulting.info/publickeys/EC86B1E7.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/interlock.gpg

# Add the Interlock Repository
echo "deb [arch=amd64] http://apt-repo.brconsulting.info/interlock/ stable main" > /etc/apt/sources.list.d/interlock.list

# Install the package with the required dependencies
apt update -y
apt install interlock-plugin-pam -y

Configuration #

Once the agent is installed you will require some configuration.

Server #

1. Ensure the LINUX_PAM_AUTH_ENDPOINT_ENABLED option is enabled on your Interlock Backend. Optionally you may enable LINUX_PAM_AUTH_ENDPOINT_ADMIN_ONLY.
2. Restart the Interlock Backend Service.
3. Generate a key-pair by going to your Interlock installation directory and executing the following commands (you may use it for n clients):

. venv/bin/activate
python3 manage.py generate_pam_key

4. Keep the SEND_ENCRYPTED and RECV_EXPECTED values handy, you’ll need them.

Client #

1. Clone this repository to a location of your choice (you may need to install git).
2. Copy the ./src folder to /usr/share/interlock-plugin-pam.
3. Edit your /usr/share/interlock-plugin-pam/config.ini config file:
   1. Add your API URL as API_URL=<your-api-url>.
   2. Add the SEND_ENCRYPTED and RECV_EXPECTED values from before.
4. Add user shell definitions to /usr/share/interlock-plugin-pam/user_shells.ini (see sample file).
5. You may test authentication with pamtester login $username authenticate (you need to have pamtester installed).